How real-time computing can sound the kill chain alarm
Major attacks and ransomware incidents like SolarWinds, Colonial Pipeline or JBS highlight the critical role cybersecurity plays in protecting infrastructure and the economy. Delays in incident response can directly impact thousands of people due to leaked personal data, damage to infrastructure, business interruptions, and more.
With the increasing number of large-scale attacks, organizations across all industries, and especially those that meet critical needs, must become better prepared.
Current security information and event management (SIEM) solutions are typically designed to log activities and apply a set of rules to these logs created by security practitioners for extracting information that should be alerted within an organization.
Log analysis attempts to identify an attacker’s chain of activity (a “kill chain”) that could lead to the injection of malware or other malicious actions. SIEM software usually includes dashboards that show managers raw telemetry by region or events recorded over time.
The challenge for SIEM solutions is to overcome the delay needed to perform forensic analysis of logs and extract patterns from large volumes of aggregated telemetry. This delay makes it difficult for security professionals to spot and mitigate emerging kill chains as they occur. While these solutions do a good job of monitoring attack vectors, they fall short in identifying emerging threats in real time.
A software technique called in-memory computing may be just the answer to this problem. Many SIEM solutions maintain agents for nodes (such as workstations, servers, routers, and switches) within an organization’s IT infrastructure to report suspicious events that could signal a threat.
Instead of just displaying these events on a dashboard and adding them to a log for offline analysis, in-memory computing technology can track incoming events with contextual information and react within milliseconds to potential threats. This accelerates the detection of cyber kill chains and offers the potential to interrupt them in real time.
Using in-memory computing, SIEM software can create a software construct called a real-time digital twin (RTDT) for every agent that sends event messages to report possible intrusions within a network infrastructure. Each digital twin can incorporate evolving information about the state of the associated network node to help analyze incoming messages and update this state data over time. Each RTDT can continuously run a machine-learning algorithm to classify detected activities and signal alerts to managers when a threat is predicted.
Because they maintain state information about network nodes, RTDTs shift the application’s focus from tracking incoming data streams to tracking the dynamic state of the network itself. The net effect is that cybersecurity professionals can develop a significantly deeper understanding of a potential cyber threat, and they can take quicker and more effective action when needed.
RTDTs might also help detect kill chains as they emerge. If an RTDT detects a potential threat in an outbound connection to another node in the network, it can send a message to that node’s RTDT to assist in the detection of a kill chain. By sending messages between RTDTs, they can track the progression of an intruder within a network, build a real-time map of potential kill chains, and possibly get ahead of an intruder to block threats.
Current SIEM techniques that require log analysis to spot cyber issues after they have occurred can’t respond fast enough to interrupt an attack in progress, and the consequences of delayed action can be severe. New technologies, such as in-memory computing with real-time digital twins, offer a new tool for detecting and stopping cyber attacks as well as mitigating their effects.