IT Security: Staying Ahead of the Curve
Research Consortium Focuses on Up-and-Coming TechnologiesThe consortium, which includes three of the nation's top computer security research institutions, was established to help develop new technologies. The institutions involved are Carnegie Mellon University, the Massachusetts Institute of Technology and Purdue University.
Areas of research include automating software application security, where tools can assess vulnerabilities in codes quickly to save on money and manpower. Cloud computing is another area of intense research, and one type of technology coming out is the idea of watermarking data streams to aid organizations in "figuring out how to identify not only the data, but where the data came from and who sent it," says Brammer, vice president of advanced technology at Northrop Grumman Information Systems.
Staying ahead of the curve when it comes to the research and development of new security technologies is essential, says Brammer. Areas such as cloud computing are important advancements in IT, but any new area has the potential to bring about new security vulnerabilities.
"It can take a while to sort that out and figure out where the vulnerabilities are and to come up with approaches to deal with them," Brammer says in an interview with GovInfoSecurity.com's Eric Chabrow [transcript below].
People's view of cybersecurity will need to broaden over the next few years, says Brammer. IT security can no longer just focus on the security of enterprise networks and computer systems, but must expand to other areas where computerization has excelled, including transportation systems, power grids and telecommunications.
In an interview with Information Security Media Group, Brammer addresses consortium research projects that include:
- Developing ways to prevent data leakage from organizations sharing cloud computing services.
- Watermarking data to assure their authenticity.
- Seeking new ways to employ encryption in environments such as the cloud.
In an interview with Information Security Media Group last December, Brammer discussed the link between IT security and green IT [see Facing Tradeoffs to Secure IT Systems].
At Northrop Grumman, Brammer is responsible for the overall technology strategy and independent research and development programs, technology and research partnerships, technical talent development and intellectual property management. He previously served as the chef technology officer at the information systems unit. Before joining Northrop Grumman, Brammer worked at NASA, where he focused on the development of real-time software for tracking command, telemetry and communications for Apollo and Skylab manned spaceflight missions.
He holds a bachelor degree in mathematics from the University of Michigan and master and doctoral degrees in mathematics from the University of Maryland.
Cybersecurity Research Consortium
ERIC CHABROW: Before we get to the research being conducted, please take a few moments to tell us about the research consortium?ROBERT BRAMMER: We organized the research consortium a year and a half ago because we wanted to reach out to some of the most creative and innovative organizations to help us address the growing cybersecurity threats. We were seeing trends that have continued to this day in terms of increasing sophistication and targeting of the threats. Although we have a number of very fine staff members, industry professionals and researchers on our staff, frankly we just don't have enough of them. So we wanted to reach out to these universities to help extend the capabilities of our research program. We told the universities in very general terms areas of interest for our research, and invited them to submit proposals. We got a large number of proposals among the three universities and we selected a number of them for our first year. Now we're in the process of concluding the second academic year, and we're very pleased with the progress we've seen so far.
CHABROW: What were these targeted areas of research?
BRAMMER: We sent them a description of 14 different areas of cybersecurity research, very broad top-level areas including things like application security, critical infrastructure protection, dynamic security architectures, and a number of others, IPv6 being another one. In each case we gave them a definition of the scope of the area and the reasoning as to why we were interested in this area and how it would fit into our business strategy. They came back with proposals in areas like cloud computing, encryption, application security, critical infrastructure and a number of other areas. We had typically challenged them to figure out how these different research projects would fit into our business strategy.
Another important aspect of the research consortium is that this is collaborative research. This was not us just handing money to the universities and saying, "Go do your thing." We set up complimentary projects in our own research program. We wanted to promote our people working with the university faculty, research associates, graduate students and so forth to really do some team building in this consortium. Closing in on two academic years here, we've seen very good professional relationships develop.
Trends Impacting Cybersecurity Research
CHABROW: How is the current computing environment shaping research being conducted by consortium members and by your own company? And has the situation evolved over the past eighteen months that has changed the direction of that research?BRAMMER: There are a number of trends in information technology that are having a big impact on the research. You have new architectural developments. Cloud computing today is obviously a very hot subject. People want to press ahead with a new development like cloud computing, and there are many good reasons for doing that: lower cost, assuring of infrastructure, reducing the need for capital expenditures, increased flexibility, agility and so forth. However, any of these new areas has the potential to bring about new security vulnerabilities. And sometimes, it can take a while to sort that out and figure out where the vulnerabilities really are and to come up with approaches to deal with them. The White House announced earlier this year their cloud computing strategy, which is obviously having a big impact on our federal markets. Cloud computing security today is even a higher priority than it was just a couple of years ago. That is one example of how developments, information, technology and services would impact the research.
Another is in the area of high-performance computing. People are building increasingly more powerful computing architectures. Rather, these are new systems, or clusters of various servers, architected together to get increasing performance. Managing larger volumes of information, increased demands for performance and analytical capabilities - learning how to secure things on a very large scale is also a research priority for us. Some security approaches that work fine when networks are slower and databases are smaller may fall over and be overwhelmed in the larger architectures. Things don't necessarily just scale up. A big system is not just a bigger small system. There are qualities of differences as well of quantities of differences. That is another trend in our research program. How does one secure extremely large systems with very powerful networks?
CHABROW: If I hear you, and correct me if I'm wrong, your approach to research is to look at not only what maybe your business needs are, as one of the largest integrators in the country, but also looking at the kind of technologies people are using and how to secure them, rather than looking at the current problems we read everyday. You see these various breaches that occur. The approach is looking at what businesses and governments will be using in the coming years.
BRAMMER: We have sort of what you call the "Wayne Gretzky" approach here of trying to escape where the puck is going to be. So yes, we have to be forward looking as a research program. Our research is not about current operations, although obviously we look very closely at what's going on today. But we have to anticipate what is going on or what will be going on over the next few years.
One area that I think people are just beginning to grapple with is the area of cybersecurity for critical infrastructure protection, which is also part of our research consortium. Most people, when they think about computer security, think about getting virus signatures on their PCs, updating their passwords and so forth. That's very important, but an increasing trend most people don't realize how big the impact might be is the computerization of everything - computers going into automobiles, infrastructure systems like the power grid, water supplies or chemical plants. All that computerization is being done for very good reasons. Costs can be reduced, there's flexibility and it's easier to update them.
But again, you computerize anything and you're opening up a class of potential vulnerabilities that can be exploited by a knowledgeable organization. People's view of cybersecurity will need to broaden over the next few years, so we're putting an emphasis on that in our research program. Think about not only security enterprise networks and computer systems, but also security transportation systems, power grids and telecommunications to make sure that all of our operations, including those that we depend on for safety, health, and so forth, are secure from a cyber attack.
CHABROW: With the research being conducted by consortium members so far, is there a certain theme? Is it looking maybe to secure data vs. securing the systems themselves?
BRAMMER: No, I don't think I would say that. We have a pretty broadly based set of projects here. One of the things that's important in my position as a research manager is to make sure that you have a portfolio of approaches. You don't put all your eggs into one basket, and I can't put all of our research dollars into any one category. Certainly securing data is important. We have a number of projects there. We have other areas that we touch on as well.
IT Security Solutions Related to Banking, Healthcare and Government
CHABROW: I would like to take a few moments to talk about specific research initiatives the consortium is addressing. Our listeners are responsible for managing IT security for organizations such as governments, banks and healthcare providers. What are some of the specific cybersecurity challenges that your partners are researching that eventually could become products or solutions that our listeners can use?BRAMMER: I'll give you a couple of examples. The first one I would pick is vital for really any organization, and that's the area of software application security. Most organizations have software that is written specifically for their operations, quite likely their mission critical systems which are maybe supported by various commercial offerings but generally have some of their own unique characters to them. Writing software application software is a very extensive process. Not only does it take time to design it, write the code and test it, but in many cases, particularly in our federal markets, you have to go through a fairly extensive process called "certification and accreditation," where it has to go through some outside testing before it can be deployed for operations. It can take years to go through a process all the way to the original requirements through development, testing and certification.
Part of our research is on how one shortens up that time. Can we automate certain parts of the design process and the certification process in order to shorten that cycle to get these new developments into operation more quickly but to do it safely? That's a very critical area so we have tools being developed that will analyze the requirements in advance of the development of the software to highlight areas of likely security vulnerability and make sure that secure design techniques are being built into the system. We want to make sure that we have security by design in this, consistent with what is usually called defense in depth, or not putting all your eggs in one basket.
We also have techniques that will actually look at the code while it's being developed and attempt to discover vulnerabilities automatically by looking at the code behavior. And this is code that you may have developed or code from other organizations that you may be integrating into your system. And if you can find vulnerabilities, are they exploitable somehow? That is also part of our research. All of this is focused on trying to reduce the time lost to develop software, and at the same time improving the security aspects.
Another area of very hectic research is cloud computing. Many of our customers are very concerned about public services and they're developing their own, what some people call private clouds. Now for some customers, even though a private cloud may be owned at the agency level, it would still have a number of different parts of the organizations participating in it. It still has some of the same multiple-organization issues that a public service would have. It would be more like the community private cloud. We're designing these with some special security hardware and software to make sure that data does not leak from part of the cloud assigned to one organization into the part of the cloud assigned to another organization. We are also doing something that would be the equivalent of watermarking data streams. That is - figuring out how to identify not only the data, but where the data came from and who sent it so that you know that what you're getting is really authentic.
CHABROW: Is part of watermarking also the ability to find out where that data is?
BRAMMER: Yes. In the event that it did leak out, you could use these techniques to prove that in fact it was yours. We are trying to make it the way you would think of physically watermarking something.
CHABROW: You also mention encryption. What is being done in the encryption area?
BRAMMER: The focus there is on the application of various types of encryption as opposed to doing original encryption algorithms and development, as there are plenty of other groups that are focused on that problem. We want to make some innovated uses of encryption techniques. I mentioned one in terms of cloud architectures that I think has some real potential for us. I think the encryption techniques that we're interested in obviously have to provide the level of security that you want to protect your information, but you want to be sure that you're doing this while trying to minimize the cost in the overhead and the deployment issues that have been a problem for other types of encryption implementation.
Research Timelines
CHABROW: When do you expect some of this research will actually become products and solutions?BRAMMER: We're going through some of this testing now. We've seen some favorable, what we would call "proof of concept," laboratory demonstrations of a number of these projects, and we're working to scale this up. What we have to do is build some cyber test ranges. These are platforms we use for large-scale testing. If you were to see one of these, you would think it sort of looks like an enterprise data center in the sense that it can have thousands, or tens of thousands, of servers. These servers are specialized hardware for things like traffic generation and specialized software for configuring service in various ways so that we can simulate different types of enterprise or infrastructure networks, and use these cyber ranges. Part of their range is used for the offensive side and the defensive side. We can actually simulate the effect of different strategies. What we're doing then is taking the results of our various research projects on to these cyber ranges, or larger scale testing. And assuming that things continue to go well, we will gauge with some of our customers into reviewing these tests and include these in proposals that we build for them over the next few years.
CHABROW: In discussing one of the solutions being explored, you previously said the key question here is given a certain budget for things like firewalls, intrusion detections systems and prevention systems. How do you get the most bang for your buck? How important is it to research solutions that won't cost customers a lot of money? Is cost a factor? And if it is, does that perhaps limit the discovery of some useful security technology?
BRAMMER: Cost is a huge factor these days. Everybody is under budget pressures and I don't know of a single CIO's budget that's going up. The question of "how do you get the most bang for the buck" via security investments is a real one. A number of these agency or enterprise networks extend over large areas, most of the United States, or even global operations. There are questions then about the architecture of the network and where do you put your various security sensors. You have the same questions about where to put firewalls, intrusion detection or prevention systems by routers and all these devices, in order to make the most effective use of these scarce dollars.