Evolving Information Security Part 2: Developing Collective Intelligence

<this is part 2 of a 3 part series>

I originally posted about my issue with the concept of herd-intelligence (here) and although it is an interesting idea, it is a terrible name. It is also too reliant on central distribution of intelligence. What is really needed is a broader discussion on distributed collective intelligence, independent of central or back-end servers. This would drive greater automation of technical and security controls as well move us closer to swarm intelligence where security moves from a model of defensive to offensive computing.

The hype around automating operational controls has been brewing for years. Both IBM ‘s autonomic computing and Cisco’s self-defending network impart a sense that the infrastructure will come alive and respond to changing stimuli independent of user interaction. A series of conditions or policies would be defined that govern the response mechanism. Conceptually, I believe most can imagine the ability for computing devices to dynamically reconfigure themselves or act in concert with the collective as a response to environmental variability. Of course this breaks down in the face of the inherent limitations of the majority of systems and security management technologies in place today.

Client-Server computing architectures are unable to support evolving IT demands or deal with evolving security threats

In the 80 and 90’s the majority of organizations had fairly static device populations. There was little need for support or management of mobile, intermittently connected devices. Perimeters were put in place to keep the bad guys out, and requirements for speed and agility were less demanding. There was no real need to support a world that would become distributed, global, and unbounded by traditional perimeter security and loosely controlled networking environments.

Most enterprise systems management technologies were developed against these early requirements for central control. These vendors invested heavily in back-end architectures. BMC, CA, HP, Landesk, McAfee ePO, Microsoft SCCM (yes they claim peer to peer but you still need like 10 agents and a mess of back-end servers), Symantec/Altiris, and Tivoli, are all head-end server centric technologies. Essentially they maintain the intelligence at the server level and issue commands to agents when it is time to perform certain tasks.

There are several problems with this model, especially at scale, which include:

• The amount of infrastructure and cost to support the management or security tools.
• The tools tend to be brittle and do not easily adapt to dynamic environments or conditions.
• Penalties of time, with common tasks taking days or weeks.
• Inherent problems with management of remote, mobile, or intermittently connected computing devices.

The model needs to be reversed with the intelligence distributed out to the computing devices, whether they are physical or virtual, whether they are connected to the corporate LAN or are roaming through an airport, hotel, or Starbucks. These intelligent agents should be able to function independent of a back-end server and be able to dynamically and continuously assess, enforce and remediate the health and security of computing devices in real-time. For the record this is how BigFix works, but as the CTO, you must have known I was going to mention them. This post, however, looks at the future of systems and security management and how to better adapt distributed computing and collective intelligence to deal with dynamic threats in increasingly decentralized and global computing environments.

The Problem with Network Security

Before I continue, I think it important to note why it is so critical that end-point security is improved and why relying on network security alone will become inherently unreliable.

I know this is blasphemy for folks like Richard Stiennon, Richard Bejtlich, and John Pescatore, who all have stated that you cannot trust the end-point, and are strong advocates of some form of network security technology. But before you throw me to the wolves, let me explain. The network today is far more complex and porous than yesterday’s, and it will become even more so in the future. The effectiveness of network security technologies will decrease as organizations implement new technologies and adapt new business practices, these include:

• Web services, which allow more external -> internal access and are harder to secure.
• Service oriented architectures, which decrease central visibility and control.
• Software as a service, which almost entirely remove visibility and control from the organization.
• Virtualized environments, which can be self-contained decreasing network transactions between web, database, application and file servers and may appear to share a common network interface.
• Hand-held computing devices and mobile, remote users, which carry and transmit sensitive and sometimes critical information as well as create new vectors for attack.
• Merger or acquisition, which can introduce a set of insecure communication channels between separate environments.
• Reliance on the Internet for business transactions, which can introduce significant issues of trust and accountability.

One can argue that you would simply move critical infrastructure behind strong fortifications, but once information finds its way onto a mobile device, or the Internet – and it will find its way – monitoring network activity becomes a poor substitute for next generation architectures. As has been stated in the past, the end-point is the new perimeter or more correctly there are no more perimeters.

Distributed computing changes the game

Distributed computing combined with coordination, cooperation and group cognition, enables the infrastructure, or the individual device, to change state quickly. Pushing intelligence to the computing devices themselves enables highly efficient infrastructure management without requiring user interaction. It enables the infrastructure to self-heal, which brings many benefits including:

• Rapid responses to emerging threats or attacks occurring in real-time, which can dramatically limit the attacks impact or negate it all together.
• Resolve service disruptions or operational failures in seconds or minutes 24 by 7.
• Highly efficient application acceleration based on changing state of the environment.
• Dynamically enable the most efficient routing to internal/external services based on shared environmental knowledge.
• A host of use cases, which are more easily solved when using an intelligent, distributed computing approach.

Logistically one cannot leap from heavy back-end centric client-server architectures to computing devices that can heal themselves and their peers in a single step. The evolution of infrastructure computing will pass through a set of increasingly sophisticated characteristics. This evolution will result in the realization of a self-aware, dynamic infrastructure with individuals working together to cooperate, communicate and have some level of cognition prior to and during various operational failures, whether they are malicious or accidental.

The self-healing infrastructure

How do we move from legacy systems to distributed agents that make collective intelligence a reality, and how do we apply this technology to current security and systems management?

The first step is to completely decouple agents from back-end servers. The intelligent agents must have complete knowledge of the computing devices they reside on. Based on state or environmental changes, the agent will be able to heal the device independent of user or back-end server interaction. Application of this model would include security configuration management, patch management, threat management, and other basic systems and security management functions.

Once the agent is fully aware of the state of devices it resides on, physical or virtual, it will need to expand its knowledge of the environment it resides in and it’s relative positioning to others. Knowledge of self, combined with knowledge of the environment expands the context in which agents could effect change. In communication with other agents the response to threats or other problems would be more efficiently identified, regardless of location.

As knowledge of self moves to communication with others there is the foundation for inter-device cooperation. Communication and cooperation between seemingly disparate devices, or device clusters, creates collective intelligence. This simple model creates an extremely powerful precedent for dealing with a wide range of information technology and security problems.

Driving the intelligent agents would be a lightweight and adaptable policy language that would be easily interpreted by the agent’s policy engine. New polices would be created and shared between the agents and the system would move from simply responding to changes and begin to adapt on its own. The collective and the infrastructure will learn. This would enable a base-level of cognition where seemingly benign events or state changes coupled with similarly insignificant data could be used to lessen the impact of disruptions or incidents, sometimes before they even occur.

Real-time collective intelligence can dramatically shift the balance between always being behind the attackers and finally gaining some ground. Imagine what could be done when this model is pushed to a swarm intelligence model where the collective is used to not only respond defensively but can be used offensively as well.