In 1814, the French astronomer and mathematician Pierre Simon Laplace claimed that, with enough information, any event could be predicted. Accordingly, he argued, one should be able to predict on which side a coin will land every time it is tossed, assuming that one has all the relevant information (such as the coin’s absolute structure, its weight, the humidity, temperature, air composition in the vicinity, and innumerable other relevant parameters). Laplace asserted that since movement equations are closed equations that can be solved, it is always possible to predict the result of a coin toss with absolute certainty. The only thing preventing this, he theorized, is one’s inability to gather and analyze all the parameters relevant to the event of the coin toss itself.
With the prodigious development of tools and methodologies of big data analysis, this inability to gather and analyze information may be changing. We are witnessing a momentous expansion of capacities that makes it possible to gather almost limitless amounts of information and analyze them through the use of advanced analytical tools. Cybersecurity is one of the areas benefiting most from this rapid development—not only in the context of intelligence-gathering, but also in understanding the cybersecurity situation of an organization or a nation.
Despite the benefits of these rapid developments, the enormous quantities of information and events from a variety of sources arriving from various sources at phenomenal rates pose huge challenges to deriving relevant, clear, broad, and comprehensive understandings of situations from this information. The present situation is akin to the ancient Indian proverb in which a group of blindfolded investigators try to identify an elephant solely by touching different parts of it. Each can feel only the part of the animal directly in front of him or her, making it impossible to formulate a complete picture. This is the situation in all industries with information gaps, and even more so in understanding the present moment in cyberspace.
The multiplicity of threats in cyberspace and the ability of attackers to detect weaknesses and use them in operations requires a holistic view of organizational security. The exposure of organizations to cyber events is not due solely to the exposure of its computer system to Internet threats, but rather to a broad range of vulnerabilities. It is increasingly apparent that in order to understand what is going on in cyberspace, organizations, in conjunction with national governments, should create a comprehensive and integrative picture of events in the organization, both in cyberspace and physical space. Just as nation-state attackers and terrorist organizations do not distinguish between these two spheres, the defender should also avoid an artificial separation between defenses in the two spaces—a separation that is likely to prove harmful. As a result, a comprehensive and integrated defense concept encompassing both cyberspace and physical space should be created.
The main challenge to devising a so-called Integrated Security Approach (ISA) is to fuse all the incoming information and create a correlation in the rate that will allow insights derived from this fusion to be relevant to foiling the threat. The counteraction circle should include the following four efforts:
- The ability to generate an early warning. This warning should be concrete and relevant, and should facilitate concrete response activity. There should be a hierarchy of warnings with corresponding response levels for every severity of warning.
- A preventative effort consisting of active organizational or national measures for preventing materialization of the threat.
- Detection, an essential effort aimed at realizing to what degree the organization has been affected and penetrated.
- A reaction effort. According to the counteraction concept, this effort should not confine itself to dealing solely with “noisy” or “silent” activity to stop an attack; it should utilize attacks as part of the intelligence-gathering effort, thereby reversing the situation by turning the pursuer into the pursued.
Understanding the integrative situation is extremely challenging; it requires tools and capabilities that will enable us to see the full picture, not just identify isolated parts of it. The information comes from a very broad range of sensors and sources, which present three main difficulties:
- The quantity of information. In attempting to generate a comprehensive picture, we require enormous amounts of information coming from all the organizational (or national) systems.
- The huge variance in the information and the sources from which it comes. This is a great challenge: information should be collected from information security operations centers (SOCs), network operations centers (NOCs), events in information and communications technologies (ICT) systems, and warnings from data leakage prevention (DLP) systems. As if that were not enough, in light of the profound realization that security in cyberspace cannot be separated from security in physical space, information needs to be gathered from all of the organization’s physical security systems as well (for example, access control systems, presence management systems, etc.). Intelligence information must also be culled from sources outside the organization (such as all the layers of the Internet) as well as internal sources such as behavior of employees, operational characteristics of end user stations, etc.
- The rate at which sensors and sources create the information
The combination of these three elements—quantity, variance, and rate—poses a significant challenge to generating a high-quality, relevant picture of the situation for the security of an organization or for national security. Here technology assists with the use of advanced analytic tools. High-speed analysis of big-data enables calculating correlations and probabilities, and helps generate an updated situational awareness.
It is becoming increasingly apparent that cyberspace cannot be an isolated, independent, or “alien” theater of action. Dealing with growing threats requires a comprehensive Integrated Security Approach that encompasses both cyberspace and physical space. Any attempt to delineate a separation between the two is artificial and doomed to fail. Though we are still very far from realizing Laplace’s theorem, an Integrated Security Approach supported by big-data analytic tools may both improve our understanding of the cybersecurity situation and bring us slightly closer Laplace’s vision of perfect information.