MIT is tackling a long-standing problem in cybersecurity: the reluctance of companies that suffer breaches to share the ugly details of those cyber attacks, replacing distrust and secrecy with transparency and cooperation.
For years, governments and organizations have run "trusted third-party" programs to gather this data and help CISOs better protect their organizations through collective knowledge. But MIT, seeing room for improvement, developed a new offering that it hopes will collect more comprehensive data and provide sharper insights to infosec professionals.
The SCRAM (Secure Cyber Risk Aggregation and Measurement) platform is designed to lessen organizations' privacy and liability concerns and thus promote broader data sharing.
MIT said SCRAM will offer greater confidentiality assurance through an innovation that lets it analyze an organization's encrypted data without having to read it or unlock it. According to MIT, "The power of this platform is that it allows firms to contribute locked data that would otherwise be too sensitive or risky to share with any third party."
Will SCRAM break the cyber-attack logjam? Here's what you need to know.
How it works
SCRAM, from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL), can help organizations quantify how secure they are and assess their infosec spending priorities. It is currently a research-based tool intended for companies to get a better sense of their cybersecurity profile.
In its maiden voyage, SCRAM analyzed data from 50 cyber attacks against seven large companies and pinpointed specific steps that could have prevented the incidents.
"We were able to paint a really thorough picture in terms of which security failures were costing companies the most money," said Taylor Reynolds, technology policy director at MIT's Internet Policy Research Initiative (IPRI) and one of SCRAM's developers.
SCRAM uses the widely followed security controls and sub-controls from the Center for Internet Security to make its analysis. For example, in this first assessment, it identified three major security vulnerabilities that cost the companies more than $1 million each in losses:
- Failures in preventing malware attacks
- Communication over unauthorized ports
- Inability to mine logs for effective incident prevention, detection, and resolution
SCRAM also spotted two other areas that merit attention: the need to inventory hardware to ensure only authorized devices get access, and to have boundary defenses such as firewalls and proxies to control traffic through network borders.
"If you’re a CISO at one of these organizations, it can be an overwhelming task to try to defend absolutely everything. They need to know where they should direct their attention."
—Taylor Reynolds
Attack the attackers where it hurts
The secrecy and lack of cooperation around sharing cyber-attack data is a major issue, said Jeff Pollard, a Forrester Research vice president and principal analyst. Most enterprises share only attack indicators. "Attackers often steal customer data, intellectual property, and other confidential information that contribute to the firms' competitive advantage," he said.
On top of that, breaches inevitably wind up in litigation, so information that's shared can become discoverable during the legal process.
"Firms might share that an attacker used a tool or technique that was identifiable based on certain technical characteristics. But they rarely share the specific methodologies or what was ultimately obtained by the attacker."
—Jeff Pollard
This, MIT's Reynolds said, makes the attackers rejoice, and it perpetuates a vicious cycle.
"It's really a nice gift that we've given to cyber criminals."
—Jeff Pollard
Will SCRAM change the game?
Weaknesses that in the past have afflicted programs to aggregate cyber-attack data include skewed, limited datasets; a biased and self-serving mission; and mistrust about the ability to keep the data safe, said Pollard. "Most data about breaches is biased in some way," he said.
For example, some of it comes from vendors of cybersecurity or sellers of cyber-insurance products and services. "Obviously, those companies have a financial interest in making the total cost of a breach seem as outlandish as possible," Pollard said.
Meanwhile, reports from cybersecurity vendors often have issues because of selection bias: The reports focus on the vendor's area of expertise and are aimed at its target customers. "That doesn’t mean every attack and data breach is like that, only those in the sample set," Pollard said.
Then there's the risk of handing over highly sensitive and confidential data to an organization that itself could suffer a breach. MIT's assurance that SCRAM can analyze encrypted cyber-attack data without actually reading it could go a long way toward making companies more comfortable about participating, said Pollard.
"Sharing information like this is definitely a contribution toward the greater good, especially if it can act as an unbiased repository of information that's voluntarily shared."
—Jeff Pollard
Adopting an open approach
Ultimately, SCRAM adoption will hinge on ease of use, dataset quality, and actionability—just as with any other new security product or service. "Gathering and sharing information needs to be as simple as possible. Otherwise, security leaders and their teams won't have time for it," Pollard said.
Meanwhile, the dataset that participants receive must be enticing—comprehensive, accurate, and meaningful.
"Most CISOs want things to be as close to their organization as possible. The more precise the dataset gets, the more useful it becomes for security leaders."
—Jeff Pollard
Security leaders need pragmatic information and guidance that can be executed on. "CISOs and teams already have too much to do. So saying 'do more' doesn't help," Pollard said. "They need help to triage [existing] projects and initiatives, not entirely new tasks."
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.