by Sanjeev Kapoor 07 Sep 2018
CyberSecurity Knowledge Bases: The Brain of Security Systems
share on

CyberSecurity Knowledge Bases: The Brain of Security Systems

Despite significant investments in cybersecurity systems, IT systems are still vulnerable to cyber-attacks. This is evident from reports of recent large-scale cyber-security attacks: Following the notorious Wannacry ransomware attack in 2017 that impacted many thousands of systems worldwide, in 2018 we witnessed the VPNFilter Russian hacking campaign. The latter impacted more than 5,00,000 routers around the globe, based on the spreading of “VPNFilter”, a specific type of malware that can be used to orchestrate affected devices into a massive botnet. These incidents highlight the need for more intelligent security systems, which could rapidly become aware of new risks and optimal ways to confront them.

In this context, modern security systems are built in a way that allows them to access knowledge about all known threats and about their root causes. This knowledge should become an integral part of all security tools that help organizations identify what could be wrong in order to either avoid or to remedy relevant risks. As such, this knowledge is a core part of any security tool’s intelligence and resides in the so-called security knowledge bases.

 

Anatomy of a Security Intelligence System

In order to understand the role and functionality of a security knowledge base, it’s worth having a look at some of the main components of a security monitoring and intelligence system:

 

Role of a Security Knowledge Base

Based on the analysis of security data, various security patterns, events and behaviors can be identified, including patterns that concern the operation of multiple systems at the same time (e.g., the formation of a botnet or a Distributed Denial of Service (DDoS) attack) rather than the operation of the single system alone. The role of the Security Knowledge Base is to match the detected security pattern or behavior against a set of common incidents, threats, and vulnerabilities, in order to produce relevant recommendations about confronting the detected threat. Therefore, a knowledge base comprises knowledge about past threats and incidents, including a set of indicators for identifying them.  Likewise, it also provides a set of rules and inference capabilities, which facilitate matching and identification of threats based on a combination of indicators. These inference capabilities endow the security system with intelligence characteristics, forming essentially the brain of the security system.

Most security vendors build and provide high-quality knowledge bases, which enterprises can license and use. As evident from the anatomy of security monitoring systems, the use of a complete, versatile and smart knowledge base can have a significant impact on the accuracy and efficiency of the security system as a whole. Nevertheless, apart from commercial (and usually expensive) knowledge bases, there are also open source ones, which are based on the publicly accessible information.

 

The Common Vulnerabilities and Exposures (CVE) and the National Vulnerability Database (NVD)

One of the most prominent examples of openly accessible security knowledge bases is the CVE (Common Vulnerabilities and Exposures) database, which is a catalog of known, prominent security threats. It is sponsored by the United States Department of Homeland Security. As its name indicates, it focuses on two types of security threats, namely vulnerabilities and exposures. One can search the CVE in order to discover threats associated with specific products, vendors and type of vulnerability or exposure.  It is therefore structured as a list of entries, each one containing an identifier (ID), a description and at least one public reference to a known cybersecurity vulnerability. When multiple references of vulnerability are available, they are presented in the following order: First the initial announcement of the vulnerability, and next to the response team advisory followed by the vendor’s acknowledgment and all other public sources where the vulnerability is referenced.

Based on the CVE, the National Vulnerability Database (NVD) has been developed. In particular, the NVD is a superset of the CVE, which augments it with additional analytical functionalities and tools such as search engines. However, the NVD is fully dependent on the source information of the CVE i.e. whenever the CVE is updated the updates are directly reflected on the NVD tools. It’s also noteworthy that the NVD provides a tool for calculating a vulnerability score for given threats, which is called CVSS (Common Vulnerability Scoring System). CVSS is a standard, vendor agnostic methodology for assessing vulnerability severity. As such it is a very useful tool for security processes like risk assessment.

Security vendors and integrators that wish to take advantage of the NVD are provided with access to XML and JSON data feeds, which comprise the augmented CVE information. They can also download and process the entire NVD information. Moreover, data and tools for using the CVSS scoring system are provided. Overall, access to NVD data provides the means for an open and simple implementation of a security knowledge base.

 

Security knowledge bases are powerful data-intensive infrastructures, which enable the implementation and deployment of security intelligence systems. Security experts must, therefore, get acquainted with their structure, content, and operation. Leveraging the knowledge bases in the security deployments will go a long way to ensure an integrated and secure Infrastructure System.

Recent Posts

get in touch

We're here to help!

Terms of use
Privacy Policy
Site Map
2015 IT Exchange, Inc