CyberSecurity Knowledge Bases: The Brain of Security Systems
Despite significant investments in cybersecurity systems, IT systems are still vulnerable to cyber-attacks. This is evident from reports of recent large-scale cyber-security attacks: Following the notorious Wannacry ransomware attack in 2017 that impacted many thousands of systems worldwide, in 2018 we witnessed the VPNFilter Russian hacking campaign. The latter impacted more than 5,00,000 routers around the globe, based on the spreading of “VPNFilter”, a specific type of malware that can be used to orchestrate affected devices into a massive botnet. These incidents highlight the need for more intelligent security systems, which could rapidly become aware of new risks and optimal ways to confront them.
In this context, modern security systems are built in a way that allows them to access knowledge about all known threats and about their root causes. This knowledge should become an integral part of all security tools that help organizations identify what could be wrong in order to either avoid or to remedy relevant risks. As such, this knowledge is a core part of any security tool’s intelligence and resides in the so-called security knowledge bases.
In order to understand the role and functionality of a security knowledge base, it’s worth having a look at some of the main components of a security monitoring and intelligence system:
Based on the analysis of security data, various security patterns, events and behaviors can be identified, including patterns that concern the operation of multiple systems at the same time (e.g., the formation of a botnet or a Distributed Denial of Service (DDoS) attack) rather than the operation of the single system alone. The role of the Security Knowledge Base is to match the detected security pattern or behavior against a set of common incidents, threats, and vulnerabilities, in order to produce relevant recommendations about confronting the detected threat. Therefore, a knowledge base comprises knowledge about past threats and incidents, including a set of indicators for identifying them. Likewise, it also provides a set of rules and inference capabilities, which facilitate matching and identification of threats based on a combination of indicators. These inference capabilities endow the security system with intelligence characteristics, forming essentially the brain of the security system.
Most security vendors build and provide high-quality knowledge bases, which enterprises can license and use. As evident from the anatomy of security monitoring systems, the use of a complete, versatile and smart knowledge base can have a significant impact on the accuracy and efficiency of the security system as a whole. Nevertheless, apart from commercial (and usually expensive) knowledge bases, there are also open source ones, which are based on the publicly accessible information.
One of the most prominent examples of openly accessible security knowledge bases is the CVE (Common Vulnerabilities and Exposures) database, which is a catalog of known, prominent security threats. It is sponsored by the United States Department of Homeland Security. As its name indicates, it focuses on two types of security threats, namely vulnerabilities and exposures. One can search the CVE in order to discover threats associated with specific products, vendors and type of vulnerability or exposure. It is therefore structured as a list of entries, each one containing an identifier (ID), a description and at least one public reference to a known cybersecurity vulnerability. When multiple references of vulnerability are available, they are presented in the following order: First the initial announcement of the vulnerability, and next to the response team advisory followed by the vendor’s acknowledgment and all other public sources where the vulnerability is referenced.
Based on the CVE, the National Vulnerability Database (NVD) has been developed. In particular, the NVD is a superset of the CVE, which augments it with additional analytical functionalities and tools such as search engines. However, the NVD is fully dependent on the source information of the CVE i.e. whenever the CVE is updated the updates are directly reflected on the NVD tools. It’s also noteworthy that the NVD provides a tool for calculating a vulnerability score for given threats, which is called CVSS (Common Vulnerability Scoring System). CVSS is a standard, vendor agnostic methodology for assessing vulnerability severity. As such it is a very useful tool for security processes like risk assessment.
Security vendors and integrators that wish to take advantage of the NVD are provided with access to XML and JSON data feeds, which comprise the augmented CVE information. They can also download and process the entire NVD information. Moreover, data and tools for using the CVSS scoring system are provided. Overall, access to NVD data provides the means for an open and simple implementation of a security knowledge base.
Security knowledge bases are powerful data-intensive infrastructures, which enable the implementation and deployment of security intelligence systems. Security experts must, therefore, get acquainted with their structure, content, and operation. Leveraging the knowledge bases in the security deployments will go a long way to ensure an integrated and secure Infrastructure System.
Six Ingredients of Data Management Intelligence
Top Strategic Priorities for CIOs in 2021
Positioning Your IT for Success in 2021
Customer Centric Processes: From CRM to Customer Data Platforms
Robotic Process Automation: A Driver for Cost-Efficient Enterprises Processes
Seven Ways COVID19 has Changed the CIO Role
AIOps: Empowering Automated and Intelligent Cloud Operations
Shaping the Future of Enterprise Content Management with Artificial Intelligence
An Introduction to Continuous Integration and Workflows
Cloud Leaks: The basics you need to know
We're here to help!
No obligation quotes in 48 hours. Teams setup within 2 weeks.
If you are a Service Provider looking to register, please fill out this Information Request and someone will get in touch.
Outsource with Confidence to high quality Service Providers.
If you are a Service Provider looking to register, please fill out
this Information Request and someone will get in
Enter your email id and we'll send a link to reset your password to the address
we have for your account.
The IT Exchange service provider network is exclusive and by-invite. There is
no cost to get on-board;
if you are competent in your areas of focus, then you are welcome. As a part of this exclusive