Friday, April 4, 2014


Data Integrity Will Enable Big Data Analytics

We continue to see real-world and mostly bad-news scenarios where one can be readily convinced that necessary information to avoid much of the bad news was “available”, but data was not being processed and managed to create an actionable result in a timely way.   As a partial result, analytics at cloud scale to inform truly valuable assessments, or suggest key courses of action, especially high-performance analytics using in-memory approaches, are deservedly seeing significant investment in both resources and brain power. 
Analytics require access to data.  But how do we convince data owners that the benefit of pointing their enterprise telemetry to an analytics engine outweighs the risk that their content will be compromised or corrupted while in the engine?   Data owners must be enticed to make the concept of data availability an easily- checked box, rather than a painful decision point.   For many, the big-data value proposition at the macro level brings with it a natural uncertainty about control over data at the tactical level, which ultimately relates to whether the analytics product is truly actionable for that customer.   
Enterprise owners are more likely to embrace analytics – especially outsourced analytics – if they are not required to trust the analytics provider, and especially the provider’s insiders.   Trust as a pre-requisite to data sharing will not scale.   But if the provider can offer transparency and mutual auditability of the content feeding their analytics solution(s), taking the question of trust mostly off the table, the result will be increased attractiveness to potential customers.   The analytic services can be assessed on their own merits, without the distraction of uncertain integrity as a risk factor on the ROI.  And as a byproduct, the analytic services are themselves improved, as they’ll be fed by a larger body of content - further improving the ROI for all.
Keyless Signature Infrastructure (KSI) offers the scalable data integrity solution needed to enable data availability to these engines, and thus a sustainable large-scale analytics business model.  KSI, when used as a complement to big-data analytics and related services, offers the proof of integrity that the analytics alone cannot. 
Just as in a multi-tenant object store, KSI is an enabler of the multi-tenant analytics approach.  Many potential users of analytics face problems with common denominators, and in those cases, analytics which draw on content from multiple contributors will be value-added to all with similar challenges.  Even competitors in a market will decide to contribute their content to a common analytics engine working shared problems , but only if they have evidence-quality proof of who is and is not touching their data, along with complete assurance that their content is intact.  In addition, they must be confident that the assessment returned from the analytics was based on authentic information - even if the complete information set itself is not exposed in the assessment (e.g. because some of it came from a different tenant).  This is again fundamental to the question of whether the product is actionable.  Use of KSI offers this potential, and will again incentivize data owners to make their content “available” to the analytics.
Going further, KSI can also enable a future in which the customer doesn’t need to choose among the wide and growing array of analytics providers, and can instead can leverage analytics “brokers”, who maintain current situational awareness on the strengths of multiple engines, and can tailor the service delivery over time to what best fits the customer’s needs.  Again, assurance of data integrity is a critical enabler of data availability to feed such a model, as the customer is now agreeing to let their content reach multiple third party engines.   The value of KSI in that scenario is critical, as it enables unique and actionable information to reach that customer, who can now achieve a breakthrough or avoid a disaster.  

Monday, February 3, 2014

It’s Time to Drive Out Malicious Insiders



Last week’s open Senate Intelligence Committee hearing with leaders of the Intelligence Community included phrases such as “profound damage”, and “costs of human lives on tomorrow’s battlefield” to describe the impact of Edward Snowden’s insider theft.   In light of the severity, it was unfortunate that the hearing spent very little time attempting to describe the leadership’s plan of action to prevent similar thefts in the future.  But that’s really not too surprising, as the standard approaches of the past are demonstrably weak, if not outright enabling, and re-invigorating those might simply compound the failure modes – such as adding yet more insiders.  

We seem to be struggling to identify a set of way-ahead recommendations that can be differentiated from the past, can be implemented while actually decreasing the insider population, and that provide the only truly sustainable way ahead against insiders: deterrence.   While Keyless Signature Infrastructure (KSI) is not a silver bullet against the entire malicious insider problem, it certainly has the aforementioned attributes – and most especially the ability to create strong deterrent effects.

Every insider today, whether or not a malicious thought has crossed his/her mind, knows the following things about their environment:

1.      It takes an insider to detect and report an insider - and the other insiders frequently known, susceptible to influence, and their behaviors are understood, monitored, and possibly capable of being controlled.  Bradley Manning was effectively controlling the behavior of those around him while walking out the door with discs full of stolen documents.

2.      The “noise floors” are very high.  Most organizations lack timely and consistent change monitoring, and both good and “other” changes are reported similarly.  The time-consuming nature of filtering out good change means it doesn’t occur in a timely fashion on even a significant subset of all the changes.

3.      Two insiders may not be better than one - separate from the fact that more insiders are the last thing we need.  In addition to weaknesses in ensuring independence (e.g. if they’re romantically involved), there will frequently be a superior/inferior issue at play, which will tend to reduce the possibility of an adverse report.

4.      The typical delays between malicious activity, its detection, and follow-up action are substantial, and known by all.  Days in the most obvious cases, but weeks to months in many others.

Meanwhile, many insiders already feel overtasked in their day jobs, such as simply keeping the enterprise up and running, and in basic compliance with certification and accreditation requirements (most of which are not focused on insider threats).  Watching over their peers is a chore most don’t have the time for, even if they were inclined to do so.

Effective application of KSI will materially change these environments for insiders, especially by injecting true deterrent effects into the dynamic – i.e. putting human nature to work for us, rather than continued reliance on demonstrably futile alternatives like background checks.  KSI will help ensure that many insiders who have that one fleeting malicious thought will quickly dismiss it, and not progress to the planning and execution stage.  And those who do progress will be continually faced with considering the almost certain consequences of their actions, and many will turn back.

Fundamentally, a potentially malicious insider in a KSI-infused environment will know that he/she cannot cover her tracks, their activity will be detected and communicated quickly, and social engineering efforts against peers will not be useful.   A very powerful attribute of KSI is the ability to easily abstract the detection/monitoring functions from the underlying data – enabling “dashboards” of enterprise integrity to be widely distributed, e.g. to mobile devices.    

Alerts on both constructive and adverse change are widely disseminated, and “test cases” can be executed on a regular basis to demonstrate to all the rapid detection and reaction enabled by KSI.  These tests can mimic actual events of the past, and clearly highlight to all the “before and after” impact of introducing KSI.   When malicious activity is provably detected and communicated before the insider leaves the building, and that result is widely shared, the casual insider will quickly decide to consider other ways to spend time.

In addition, the fully portable nature of KSI-based detection and attribution reduces  the cycle times that today’s insider community takes for granted when thinking about the insider problem.  The ability to rapidly extract and share evidence-quality proof of activity – without exposing unrelated content of logs or object stores – makes same-day forensic responses a reality.  Again, very public demonstration of these reaction times will deter those whose inclination toward malicious planning has been advanced by the ponderous nature of our past responses.

The practical deterrence offered by KSI brings with it the very high likelihood of actually reducing the ratio: (# of malicious attempts / size of the enterprise).  All other approaches to the insider threat to date – even when functioning as intended (see: background checks) – fail to provide a plausible path to reducing this ratio.  As our enterprises grow into the cloud, and become even more seamless, such a reduction is the only scalable and sustainable way ahead against insiders – and KSI will help get us there.  

Meanwhile, underlying the entire proposition of KSI against the insider threat is this:  Use of KSI will drive down the number of insiders needed to effectively monitor and protect an enterprise in the first place.  This is the win-win that KSI brings like no other technology available today:  A reduced insider population, with dramatically reduced interest in doing anything malicious.