Micro Focus is now part of OpenText. Learn more >

You are here

You are here

How MIT's SCRAM could break the cyber-attack logjam

public://pictures/Juan C Perez photo1.jpg
Juan Carlos Perez Freelance writer

MIT is tackling a long-standing problem in cybersecurity: the reluctance of companies that suffer breaches to share the ugly details of those cyber attacks, replacing distrust and secrecy with transparency and cooperation.

For years, governments and organizations have run "trusted third-party" programs to gather this data and help CISOs better protect their organizations through collective knowledge. But MIT, seeing room for improvement, developed a new offering that it hopes will collect more comprehensive data and provide sharper insights to infosec professionals.

The SCRAM (Secure Cyber Risk Aggregation and Measurement) platform is designed to lessen organizations' privacy and liability concerns and thus promote broader data sharing.

MIT said SCRAM will offer greater confidentiality assurance through an innovation that lets it analyze an organization's encrypted data without having to read it or unlock it. According to MIT, "The power of this platform is that it allows firms to contribute locked data that would otherwise be too sensitive or risky to share with any third party."

Will SCRAM break the cyber-attack logjam? Here's what you need to know.

How it works

SCRAM, from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL), can help organizations quantify how secure they are and assess their infosec spending priorities. It is currently a research-based tool intended for companies to get a better sense of their cybersecurity profile.

In its maiden voyage, SCRAM analyzed data from 50 cyber attacks against seven large companies and pinpointed specific steps that could have prevented the incidents.

"We were able to paint a really thorough picture in terms of which security failures were costing companies the most money," said Taylor Reynolds, technology policy director at MIT's Internet Policy Research Initiative (IPRI) and one of SCRAM's developers.

SCRAM uses the widely followed security controls and sub-controls from the Center for Internet Security to make its analysis. For example, in this first assessment, it identified three major security vulnerabilities that cost the companies more than $1 million each in losses:

  • Failures in preventing malware attacks
  • Communication over unauthorized ports
  • Inability to mine logs for effective incident prevention, detection, and resolution

SCRAM also spotted two other areas that merit attention: the need to inventory hardware to ensure only authorized devices get access, and to have boundary defenses such as firewalls and proxies to control traffic through network borders.

"If you’re a CISO at one of these organizations, it can be an overwhelming task to try to defend absolutely everything. They need to know where they should direct their attention."
Taylor Reynolds

Attack the attackers where it hurts

The secrecy and lack of cooperation around sharing cyber-attack data is a major issue, said Jeff Pollard, a Forrester Research vice president and principal analyst. Most enterprises share only attack indicators. "Attackers often steal customer data, intellectual property, and other confidential information that contribute to the firms' competitive advantage," he said.

On top of that, breaches inevitably wind up in litigation, so information that's shared can become discoverable during the legal process.

"Firms might share that an attacker used a tool or technique that was identifiable based on certain technical characteristics. But they rarely share the specific methodologies or what was ultimately obtained by the attacker."
Jeff Pollard

This, MIT's Reynolds said, makes the attackers rejoice, and it perpetuates a vicious cycle.

"It's really a nice gift that we've given to cyber criminals."
—Jeff Pollard

Will SCRAM change the game?

Weaknesses that in the past have afflicted programs to aggregate cyber-attack data include skewed, limited datasets; a biased and self-serving mission; and mistrust about the ability to keep the data safe, said Pollard. "Most data about breaches is biased in some way," he said.

For example, some of it comes from vendors of cybersecurity or sellers of cyber-insurance products and services. "Obviously, those companies have a financial interest in making the total cost of a breach seem as outlandish as possible," Pollard said.

Meanwhile, reports from cybersecurity vendors often have issues because of selection bias: The reports focus on the vendor's area of expertise and are aimed at its target customers. "That doesn’t mean every attack and data breach is like that, only those in the sample set," Pollard said.

Then there's the risk of handing over highly sensitive and confidential data to an organization that itself could suffer a breach. MIT's assurance that SCRAM can analyze encrypted cyber-attack data without actually reading it could go a long way toward making companies more comfortable about participating, said Pollard.

"Sharing information like this is definitely a contribution toward the greater good, especially if it can act as an unbiased repository of information that's voluntarily shared."
—Jeff Pollard

Adopting an open approach

Ultimately, SCRAM adoption will hinge on ease of use, dataset quality, and actionability—just as with any other new security product or service. "Gathering and sharing information needs to be as simple as possible. Otherwise, security leaders and their teams won't have time for it," Pollard said.

Meanwhile, the dataset that participants receive must be enticing—comprehensive, accurate, and meaningful.

"Most CISOs want things to be as close to their organization as possible. The more precise the dataset gets, the more useful it becomes for security leaders."
—Jeff Pollard

Security leaders need pragmatic information and guidance that can be executed on. "CISOs and teams already have too much to do. So saying 'do more' doesn't help," Pollard said. "They need help to triage [existing] projects and initiatives, not entirely new tasks."

Keep learning

Read more articles about: SecurityInformation Security