Kevin Keeney, who is a cybersecurity advocate for Elastic and serves in the US National Guard, discusses how transparency and teamwork can empower the fight against cyber-criminals.
Locked. Closed. Hidden. Private. It is the prevailing language of cybersecurity; the fewer people who know how security is handled, the safer and better the system will be. A closed approach to security might have been sufficient when we knew what to look for – e.g John Smith who lives in Port Melbourne with three kids. But the world has changed and we don’t always know who or what we are hunting. Instead, we are trying to spot patterns in communications behaviour to find who we are looking for. It is a scale of data unimaginable just a decade ago.
“Security through obscurity” is no match for today’s increasingly wily cyber adversary. In order to detect patterns in communications behavior, we need to be moving in the direction of open source projects that enable us to collaborate and fight as a team.
There’s increasing awareness in the defence community around the value of open source software. Not only is it a cost-effective option for government IT budgets, but its inherent crowd-sourcing multiplies the force of your team to find and fix bugs and increase the scale and reach of data analytics. In line with recent directives, like the ‘Ten Commandments of Software’ from the Defense Innovation Board, open source fits all the criteria to help agencies “develop and deploy software as fast or faster than its adversaries are able to change tactics.”
Transparency into code, contributors
Transparency is what makes open source more secure. With open source code, you have the ability to see what the code does. You know how your data is secured, you know if the software is going to retain any of your data (it shouldn’t), and you’re backed by the power of the community to verify and validate.
Another crucial aspect of open code is the ability to know who’s contributing to your code. Commercial software is closed code, and doesn’t allow for visibility into who is contributing to it. It’s not until someone exploits the code that a commercial entity is forced to pull back the curtain, usually with a public announcement. You have no idea if the contributor is from a country or organisation that may pose a threat, or if a library is highly vulnerable.
In contrast, commercially backed open code projects offer complete visibility into the supply chain. Think of it like a benevolent dictator. At Elastic, for example, we hold responsibility for auditing and approving individual contributions.
Fight as a team
Fighting cybersecurity is a human on human endeavour, and it’s important to know you’re not alone. Offering the highest level of security and backed by the power of the community, projects built on open code are proving effective across a range of security-related use cases. There are countless of open source projects on GitHub that can help you get started on security workloads and proactively hunt adversaries.
For instance, the Missouri National Guard cyber team developed a project called RockNSM, which uses network metadata to hunt out threat patterns in communications traffic and catch bad actors. Instead of looking at the river with a microscope, the Missouri national guard team assembled several open source projects to deliver entirely new value, then released the combination for free to the cybersecurity community at large. Already downloaded thousands of times by government and commercial users, and enhanced with thousands of community contributions, this kind of effort could never have been accomplished with closed code.
Another project, VulnWhisperer, enables cyber teams to use intel from their organisation – all the exploitable vulnerabilities from scans – to prioritise where to put resources. HELK offers another approach for advanced cyber-hunting analytics, helping cyber teams make sense of disparate data sources inside the contested environment. And CAPESstack delivers all the tools needed to help team members communicate and run cyber analytics and examination, including incident response, intelligence analysis and hunt operations. Like RockNSM, all of these are built on a host of different open source projects. It’s the community commitment and collaboration that have led to this range of tools that are free to use and that solve a full scope of mission-critical security issues.
For an industry facing new and overwhelming security challenges at an alarming rate, we need to overhaul our thinking. The conversation should no longer be a debate of open source versus closed source, but should instead insist on a community-driven approach that delivers the highest level of transparency and in turn, the highest level of security.
