Q&A: It’s Time To Automate Security. Part 2

By John Welton | April 07, 2017

What follows is Part 2 of a two-part interview with Fortinet’s James Cabe on the journey to security automation. Recognizing that most organizations are not prepared to make the jump to automation today, the following presents a realistic timeline to get from an intelligent network to truly automated, intent-based security, and a discussion of what that intent-based security will look like.

What is the timeline for getting to automation and intent-based security?

When we talk about the evolution of security, we talk about what it should look like by the year 2020. That seems to be the date that lots of analysts and experts are converging on as a tipping point in terms of data and devices on the network. The important thing is, you don't need it all now, but you're going to have to start building it if you’re going to realize the “2020 vision.”

Right now, everyone wants to talk about intelligent networking. Intelligence is great. Your average three-year-old is actually extremely intelligent - they're sponges for information - but you're not going to let a three-year-old drive a car. What they're missing is wisdom and the ability to divine the intent of others. So let’s use the analogy of human cognitive capability. Let's start with an intelligent network but let's treat it like it's a three-year-old. How do you get from intelligence to truly automated, intent-based security?

There are three basic building blocks that are critical:

  1. You need to be able to process and store huge amounts of data (the intelligence).
  2. You need the ability to learn, to turn that wealth of intelligence into wisdom that can guide actions.
  3. Finally, you need the ability to do something with that wisdom, to take action based on information.

That last part is something networks haven’t traditionally been able to do unless you automate it yourself manually. Today, automation is being built into security devices, making possible what people refer to as a “security platform.” But a platform is the wrong way to think about it. You don’t want a separate platform for security. There are already a lot of platforms out there for virtualized services. Isolating your security to a separate platform is really just more of the problem we’re trying to solve. Why not build security directly into the platforms you’re already using for compute or storage? Instead of a security platform, what you need is a fabric approach that ties everything together and gives you a single pane of glass to view things through. A security fabric woven through your entire complex, distributed network allows you to share information, integrate your different security solutions, and automate actions in response to threats.

That's the start of it, where you need to be in 2017. If you don't have those things, you're behind.

Once you have those basic building blocks in place, what is the next step?

The next step is to start defining where your normative values are. You need to collect and build intelligence about the way things happen in your business, when they happen, and why they happen. You need to build a wisdom template for your business, so that whatever is happening on the business side maps to what you're doing on the security side. For example, when you deploy a new workload or virtual machine with a few clicks of your mouse, security should be deployed right along with it. Right now, that is done manually, and can take hours you can’t afford. You will need that in 2018 – to be able to build those normative values, understand what your business looks like, and apply security to it in a wide manner as business processes change and adapt.

So after building all this wisdom about your business, what comes next?

If you get that first part right, then 2019 and 2020 is about developing the ability to divine intent, which is something you get after building up a nice store of wisdom. By “divining intent” we mean that when something happens on your network that is outside the norm, you are able to determine whether it's benign or dangerous based on a number of contextual factors. Right now, a lot of organizations have the ability to bubble up things that are out of the norm, but they pass them to humans to decide whether those things are malicious or suspicious. That’s where we are right now if you’re on the bleeding edge of things. When you do this enough times, you build up the wisdom to understand normative vs. non-normative behavior, and you can then start defining what is suspicious and malicious and build that into your fabric. The goal is to have the machines take over making these determinations for us, and then be able to automatically take action on suspicious or malicious items in as near real time as possible. That goes back to that automation fabric binding everything together.

Once your security solutions have the ability to identify all of the suspicious and malicious things that happen over a period of time in your network, you’ve given one more level of decision-making to the machines in your security fabric. Now you, as a human being, can get some kind of curated data back from this "wise" network so you can actually determine the intent of the attack, and maybe even why they are attacking you. At that point, IT is getting reports, just like you do in other areas of your business, and they can spend their time applying intelligence to those reports, refining the intelligence and wisdom in the system, and taking action to better protect your business. That is the 2020 vision. Everyone can become a data scientist and get back to focusing on the things that are most important.

Fortinet always talks about sharing threat information. Will information sharing speed up our progress to where we are trying to go?

Absolutely, but there's two levels of that. Right now, we share information on a macro level, between nations or across industries. Now if you're utilizing Fortinet’s cooperative security fabric and security services, you already have a lot of this. You're taking advantage of the data that FortiGuard Labs collects from more than two million sensors around the globe every day, then uses to keep customers up to date on the latest threats. We probably have the largest, most comprehensive sensor network on the planet, including that of the NSA.  

Still, this doesn’t get us everything. What most organizations don’t do enough of is information sharing on a corporate level. That’s why our security fabric is designed with an open architecture that allows us to partner with other best-in-class technology companies who get and collect their own threat information, and cross-correlate that information with ours. Like intelligence from Verisign, for example. Because of their vast experience managing and securing .com and .net infrastructures, Verisign has an extensive intelligence-gathering network. But the data they get, like identifying patterns of domain registrations as attackers set up infrastructure to support their attack, is completely different from Fortinet’s sensor data. When combined, however, we can see things that are unavailable by looking at those data sets individually. That’s why cross-correlation is so valuable.

When we share and cross-correlate information, we become far more effective in our ability to sense exactly what's going on and who is attacking. That allows us to properly divine intent and take faster and more specific action to thwart an attack. Attribution is one of the hardest things we do in security. More data makes attribution easier.

We don't do enough of that at the corporate level. Businesses, large or small, can’t easily utilize this type of information unless they buy a bunch of these services and cobble them together themselves. Which takes a lot of time, and goes back to the skills gap we discussed earlier. The advantage of a security fabric is that this threat information automatically comes together, which is why organizations need to begin using a fabric-based approach to weave their security network together into an integrated solution. That's the idea behind the design of the Fortinet Security Fabric.

So what should intent-based security look like? What is the ultimate goal?

The goal is to build a security infrastructure that combines a firewall with signature and adaptive measures, like Content Pattern Recognition Language (CPRL), with tools that contain adaptive and behavioral security measures. These devices can then complement each other and dovetail together for a defense-in-depth set of countermeasures.

Can you define Signature, Adaptive, and Behavioral security measures for us?

Def.: Signature - n. A distinctive mark, characteristic, or feature indicating identity

This type of measure operates by searching for a known identity - or signature - for each specific intrusion event or file (in the case of antivirus). While signature-based IDS and antivirus are very efficient at sniffing out known attacks, they do depend on receiving regular signature updates to stay up to date with variations in hacker techniques. In other words, signature-based measures are only as good as their database of stored signatures.

Def.: Adaptive (root: adapt) - v. To make suitable to or fit for a specific use or situation.

Essentially this security measure is flexible enough to change behavior with the attempted intrusion. Example: a "hacker" will take a virus file, encrypt a portion of it, set another executable on it to unencrypt portions of the virus slowly, and then download the last bits of payload once it communicates back to the attacker. This is an adaptive attack that makes it difficult to be detected by signatures. In Fortinet’s security fabric, the CPRL in the Fortigate firewall mitigates this attack by using pattern recognition, which takes into account specific fragments of a file, as well as chunking and encryption techniques. If it sees suspicious indicators, the CPRL engine will send the full file or script to the FortiSandbox. It will then be run through emulation and explosion tools and then update the Fortigate on the threat score and IoC (Indicators of Compromise) patterns. Additionally, other parts of our Fabric, like the FortiWeb web application firewall, extends this protection by checking patterns and thresholds found in attacks against a web server or database after it learns how normal transactions work. It does not track multiple sessions that have different purposes, though. When you deal with a multi-pronged or disaggregated attack, you need a behavior engine.

Def.: Behavioral (root: behavior) - n. The actions or reactions of a person or animal in response to external or internal stimuli.

This picks up where the simple threshold and pattern matching protections leave off. This technology can track behaviors of specific hosts on an internal or external network. This includes C&C behavior, attack behavior, multi-session scanning, and attack differentiation. This is not a speed technology, so it is not typically used as an in-line appliance (i.e. FortiDB). Typically, it runs log and change analysis. It also tracks session handling and permissions changes. This usually includes a machine-learning engine that tracks standard deviation and mean. Where this type of protection leaves off is that it doesn't always take into account side-channel or Out-Of-Band (OOB) behaviors like IRC, Tor, posting boards, or encrypted messaging (not HTTPS or SSL) through torrent or User Datagram Protocol (UDP). Fortinet has no less than 4 appliances with behavior engines built in: FortiWeb (WAF), FortiDB, FortiSandbox, and FortiMail.

This brings up a completely different type of measure, that some refer to as "threat intelligence." It combines Machine Learning with a technique called Deep Learning. Deep Learning is a branch of machine learning based on a set of algorithms that attempt to model high-level abstractions (such as human emotion or intent) in data by using multiple processing layers with complex structures, or otherwise composed of multiple non-linear transformations. Basically, the attack information comes from multiple OOB sources, like attack staging honeypots, posting boards, IP reputation, and encrypted messaging traffic, and then attempts to correlate that with real-time traffic measures like signature systems and adaptive appliances. FortiSandbox has the ability to learn new IoCs by taking apart files and scripts with DNS names and IP addresses in them and then pushing that data into a bespoke Database for the individual site. This data can also be shared with FortiGuard, but it is not required. This is huge differentiator.

This, essentially, is the Holy Grail.

Most people will read that and see it as something that is far off in the future. Is it possible today?

It is. This is something that Fortiguard Labs has actually been doing for a long time. It’s why the threat intelligence we provide is so good. With Fortinet and third-party tools tied together through our security fabric, you can combine Signature, Adaptive, and Behavioral security measures and feed those tools with up-to-date threat information from FortiGuard to achieve intent-based security. To adapt this security to your particular business, however, you will need to take the steps detailed earlier to gather and build your business intelligence so your security really understands your business. Every business can get there with the right tools and the right approach.