CyberSecurity Knowledge Bases: The Brain of Security Systems

Despite significant investments in cybersecurity systems, IT systems are still vulnerable to cyber-attacks. This is evident from reports of recent large-scale cyber-security attacks: Following the notorious Wannacry ransomware attack in 2017 that impacted many thousands of systems worldwide, in 2018 we witnessed the VPNFilter Russian hacking campaign. The latter impacted more than 5,00,000 routers around the globe, based on the spreading of “VPNFilter”, a specific type of malware that can be used to orchestrate affected devices into a massive botnet. These incidents highlight the need for more intelligent security systems, which could rapidly become aware of new risks and optimal ways to confront them.

In this context, modern security systems are built in a way that allows them to access knowledge about all known threats and about their root causes. This knowledge should become an integral part of all security tools that help organizations identify what could be wrong in order to either avoid or to remedy relevant risks. As such, this knowledge is a core part of any security tool’s intelligence and resides in the so-called security knowledge bases.

Anatomy of a Security Intelligence System

In order to understand the role and functionality of a security knowledge base, it’s worth having a look at some of the main components of a security monitoring and intelligence system:

• Monitoring Probes: A security intelligence system collects security-related information by means of monitoring probes that are attached to the IT systems being monitored. Probes are deployed inside the IT systems and used to collect either system-level information (e.g., network logs, CPU and memory usage information) or application-level behaviors (i.e. how a system behaves during its operation). These pieces of information can be analyzed in order to signal abnormal or suspicious behavior that may be linked to security vulnerabilities or incidents.
• Security Data Collection Middleware: Information is not collected from a single source/probe, but rather from the many different systems that comprise the IT infrastructure to be protected. Hence, a set of middleware components are required in order to credibly collect information from all the different probes, including components that can handle streaming information such as data comprising of dynamic and fast-changing security information.
• Security Data Storage: The collected information needs to be stored in a proper set of datastores. In non-trivial systems, storage will be based on some Big Data infrastructure, given that the security data is characterized by very high volumes, heterogeneous sources of data and streams with very high ingestion rates.
• Big Data Analytics: The analysis of the collected data is the cornerstone of the security systems intelligence. To this end, a Big Data analytics infrastructure is implemented over the secure data storage. This may include predictive analytics for anticipating threats and security incidents, rather than addressing them reactively.

Role of a Security Knowledge Base

Based on the analysis of security data, various security patterns, events and behaviors can be identified, including patterns that concern the operation of multiple systems at the same time (e.g., the formation of a botnet or a Distributed Denial of Service (DDoS) attack) rather than the operation of the single system alone. The role of the Security Knowledge Base is to match the detected security pattern or behavior against a set of common incidents, threats, and vulnerabilities, in order to produce relevant recommendations about confronting the detected threat. Therefore, a knowledge base comprises knowledge about past threats and incidents, including a set of indicators for identifying them.  Likewise, it also provides a set of rules and inference capabilities, which facilitate matching and identification of threats based on a combination of indicators. These inference capabilities endow the security system with intelligence characteristics, forming essentially the brain of the security system.

Most security vendors build and provide high-quality knowledge bases, which enterprises can license and use. As evident from the anatomy of security monitoring systems, the use of a complete, versatile and smart knowledge base can have a significant impact on the accuracy and efficiency of the security system as a whole. Nevertheless, apart from commercial (and usually expensive) knowledge bases, there are also open source ones, which are based on the publicly accessible information.

The Common Vulnerabilities and Exposures (CVE) and the National Vulnerability Database (NVD)

One of the most prominent examples of openly accessible security knowledge bases is the CVE (Common Vulnerabilities and Exposures) database, which is a catalog of known, prominent security threats. It is sponsored by the United States Department of Homeland Security. As its name indicates, it focuses on two types of security threats, namely vulnerabilities and exposures. One can search the CVE in order to discover threats associated with specific products, vendors and type of vulnerability or exposure.  It is therefore structured as a list of entries, each one containing an identifier (ID), a description and at least one public reference to a known cybersecurity vulnerability. When multiple references of vulnerability are available, they are presented in the following order: First the initial announcement of the vulnerability, and next to the response team advisory followed by the vendor’s acknowledgment and all other public sources where the vulnerability is referenced.

Based on the CVE, the National Vulnerability Database (NVD) has been developed. In particular, the NVD is a superset of the CVE, which augments it with additional analytical functionalities and tools such as search engines. However, the NVD is fully dependent on the source information of the CVE i.e. whenever the CVE is updated the updates are directly reflected on the NVD tools. It’s also noteworthy that the NVD provides a tool for calculating a vulnerability score for given threats, which is called CVSS (Common Vulnerability Scoring System). CVSS is a standard, vendor agnostic methodology for assessing vulnerability severity. As such it is a very useful tool for security processes like risk assessment.

Security vendors and integrators that wish to take advantage of the NVD are provided with access to XML and JSON data feeds, which comprise the augmented CVE information. They can also download and process the entire NVD information. Moreover, data and tools for using the CVSS scoring system are provided. Overall, access to NVD data provides the means for an open and simple implementation of a security knowledge base.

Security knowledge bases are powerful data-intensive infrastructures, which enable the implementation and deployment of security intelligence systems. Security experts must, therefore, get acquainted with their structure, content, and operation. Leveraging the knowledge bases in the security deployments will go a long way to ensure an integrated and secure Infrastructure System.