Bridging the Gap Between Cyber Threat Data and Traditional Intelligence Sources
The Cyber Threat Deterrent: Collective Intelligence
To assist with the Comprehensive National Cybersecurity Initiative (CNCI), Agent Logic provides the cyber intelligence analyst with an event–driven, collective intelligence solution that leverages the multi–INT resources of the government in order to monitor and understand cyber threats at a tactical, enterprise, and even strategic level. By combining and correlating data collected by the tools and techniques used by traditional network security analysts, the cyber analyst can leverage sensors, field reports, geospatial, and other relevant data sources. This capability enables the cyber analyst to develop the same intelligence operational picture that characterizes conventional intelligence disciplines, such as counter–terrorism/insurgency and weapons proliferation.
Bridging the Gap Between Cyber Data and Traditional Intelligence
Current IT tools and techniques focused on identifying and suppressing cyber threats, such as Intrusion Detection Systems, Firewalls, and Network Monitors, coupled with integrated Enterprise Security Management (ESM) and Security Information Management (SIM) platforms, serve to detect frontal assaults on the cyber infrastructure. However, identifying coordinated and pre-meditated attacks on our cyber infrastructure must proactively combine cyber threat data with traditional intelligence sources. To accomplish this, RulePoint receives cyber threat data from these specialized third-party tools and automatically correlates that data with all other sources of intelligence—bridging the gap to build an actionable operational picture of threats directed at our national security and the homeland—more efficiently and in less time.
Figure 1 – Bridging the Gap Between Cyber Data and Traditional Intelligence
Persistent Real–Time Cyber Analysis
The Agent Logic cyber solution provides cyber intelligence analysts and investigators with a multi–INT, cross–domain, user–defined collective intelligence platform that correlates enterprise intelligence sources to reveal hidden threats and opportunities in time-sensitive environments. The result is a reduction in the time gap between collection, analysis, and action via the delivery of real–time intelligence to users anywhere in the organization. Agent Logic's self–service rules–based system provides a simple and powerful user interface that facilitates collaborative processes while enabling analysts to monitor events of interest and alert/respond when conditions associated with those events are met. The expression language used for creating rules is natural and simple, and it allows for analysts to use their own vocabulary, through watch lists and analytics, to characterize their personal conditions of interest. Moreover, the system itself enables analysts to create expressions that involve temporal and geospatial intersections, dramatically simplifying the process of adding time and space dimensions to cyber analysis.
Figure 2 – The Agent Logic Multi-INT Architecture
Event–Driven Collective Intelligence Platform
RulePoint® is Agent Logic's easy-to-use Complex Event Processing (CEP) server. RulePoint provides collective intelligence by ingesting, organizing, and exposing event data such that the cyber analysts can build rules to monitor, detect, correlate, and respond when conditions of interest are met. Rules allow users to identify specific events to detect and the responses to execute when detection occurs.
RulePoint also allows the cyber analyst to "mix" in temporal, geospatial, multi–source correlations, and analytics when building rules. That is, a relevant cyber rule might be developed to correlate event data from network security event sources, watch lists of targets, and geo–referenced entity databases, as follows:
Notify me when 2 related cyber threat alerts occur within a 30 minute period and the source IP address of the alert is associated with a person of interest on my watch list, or matches an active case or report within an intelligence database, and the originating Internet services of this connection are determined to be from a potential foreign ISP of interest that is in one of my geographic named areas of interest.
Figure 3 – Multi–INT Cyber Threat Detection & Response
Conclusion
Collect, Share, & Analyze
The ability to collect, share, and analyze data in order to tailor responses to a threat is "the beginning of a deterrence policy." — Paul Kurtz, Cyber Security Expert and Presidential Advisor
Collective cyber intelligence is the foundation by which cross–agency events, alerts, and tipping/cueing provide a unified, force–multiplied, and coordinated response to cyber threats. A strong policy of deterrence is dependent upon the United States' ability to collect, analyze, and share all sources of intelligence when formulating appropriate defensive postures and offensive responses. This asymmetric cyber warfare threat is committed, creative and patient; the United States must respond with greater commitment, patience and intellectual and technological resourcefulness in order to be victorious.
For a more comprehensive description of Agent Logic's intelligence solution for the asymmetric cyber–warfare threat download the white paper, Collective Intelligence–The Cyber Intelligence Threat Deterrent.