kras99 - stock.adobe.com

Guest Post

Standardized data collection methods can help fight cybercrime

Implementing standards similar to NERC CIP for the entire cybersecurity industry could make it easier for law enforcement to investigate and prosecute cyber attackers.

Being a cybersecurity manager in 2023 is not easy. Even with the virtual equivalent of vaults, sensors and security cameras, the alarm sounds several months too late with culprits already sipping cocktails in the Bahamas. Cybercrime is booming, and it's time to bring it to an end with a solid data trail to track down the criminals.

Responding to a cyber attack is a cybersecurity program manager's most challenging responsibility. Technology is better at prevention and detection of events. To end cybercrime, cybersecurity managers need to get better at collecting evidence and prosecuting cases quickly with a solid data policy.

For years, the primary repository for data collection was SIEM systems, which gather and store data from various sources to reconstruct the sequence of events leading up to an attack. While these systems are automated, log review is usually performed manually or with limited automation and requires human interpretation to make sense of the collected data.

To ensure proper evidence collection, organizations often turn to third-party experts for assistance. These investigations can take weeks or months and be costly. According to IBM Security's "Cost of a Data Breach Report 2022," the typical lifecycle of a data breach is around nine months. Perpetrators often remain unidentified, and if evidence is missing or tampered with, it's impossible to press charges.

The problem is becoming unmanageable. The University of Maryland estimated there is an average of 2,244 cyber attacks daily. Given the sheer number of attacks, developing mechanisms for evidence collection and analysis at scale is imperative. Law enforcement currently lacks the resources to investigate cybercrimes except for the most high-profile cases. Despite the soaring cost of cybersecurity, the consequences for hackers remain minimal, and organizations are on their own to sift through data.

The problem of unstructured data

A company's ability to generate valuable log data is primitive. The absence of interoperability standards for software developers and law enforcement results in a lack of uniformity, coherence and direction. Most logs generated by applications are meant to fix technical issues, not to support law enforcement efforts. These logs are often stored as text dumps on a local hard drive, are not indexed and cannot be queried. To make matters worse, no established standard for storing information or what format to use exists, leading software developers to use language and alphanumeric cues that only they understand.

Rethinking who customers are and what they want

The idea that organizations can hire enthusiastic employees dedicated to cybersecurity and convince them and everyone else to protect their organization tirelessly is misguided. Software developers created cybersecurity applications assuming that the product's primary users would be cybersecurity experts, which is only partially true. Many professionals also have to use these applications, but only those with deep expertise in the field can master the advanced cybersecurity features.

Most of these employees, working in critical infrastructure or otherwise, do not have this expertise or the time to develop it. The lack of abundant experts and easy-to-implement software products significantly impairs an organization's ability to respond quickly to cyber attacks. For example, poor cybersecurity practices were the cause of the 2015 breach in the Office of Personnel Management (OPM) that affected around 22 million individuals' sensitive information. OPM had a security policy in place that, had it been enforced, would have prevented this sophisticated attack. Once the breach happened, however, collecting evidence became a difficult task. This is similar to the Target data breach in 2013 when a subcontractor didn't follow cybersecurity policies. The breach affected 40 million credit and debit card accounts and 70 million individuals' personal information. Evidence collection in both cases was slow and difficult.

While these incidents suggest employees were not adequately trained in cybersecurity procedures, the root cause may be that cybersecurity applications are not designed for the different types of professionals who use them, including lower-level IT office workers and the authorities responsible for cybercrime investigation and evidence collection.

The role of compliance in improving the cybersecurity landscape

The power industry is fortunate to have the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards for cybersecurity, which translate the complexity of cybersecurity into a set of mandatory requirements. Though implementation can be costly, the standards have evolved and are widely successful, legally binding and enforceable.

CIP standards are comprehensive and cover critical areas related to physical and cybersecurity measures. They were developed and maintained by industry stakeholders and regulatory authorities, ensuring the standards remain relevant and effective. By ensuring compliance, organizations avoid fines, minimize the risk of cyber attacks and lower insurance costs significantly. An added benefit to these standards is that CIP standards guide all cybersecurity efforts in the power industry with the help of vendors and software developers. A call to action by NERC to develop tools for the authorities aligns with existing measures, such as disaster recovery and log collection, and would force the industry to embrace the aggressive yet achievable goal of integrating authorities into a cybersecurity strategy.

Positive precedents suggest a solution is possible

Several precedents indicate that a shift toward standardization and interoperability in the cybersecurity industry is achievable. Many software vendors already offer APIs for third-party services to connect and extract information or interact with their features, though they are not standardized. Many antivirus applications, for instance, are integrated with orchestrators that manage multiple endpoints instead of managing each endpoint individually. These orchestrators also gather log data from endpoints and store it in a searchable database, though the information collected is not explicitly intended for use during investigations. Collecting logs through SIEM systems has become widespread, but the reports generated are not designed to aid law enforcement or follow a common reporting standard in the event of a cyber attack.

The FBI tried to set a precedent by working toward standardizing practices through initiatives such as the Cyber Guardian program, which trains local law enforcement to assist in investigations. The program, unfortunately, didn't set a standard for evidence structure.

Connecting the dots

Organizations should advocate for regulators and software vendors to implement these changes. Successfully persuading regulators for a new NERC CIP draft that pushes for better cooperation with law enforcement paves the way for a more secure tomorrow. It may take time for the draft to be approved and for software developers to catch up, however. When this occurs, law enforcement will have to design methods to parse through this data efficiently. Applications will have to be enhanced to produce a one-page executive summary explaining to CISOs, investigators and possibly judges what cybersecurity events occurred and the immediate steps to rectify these data breaches. Critical infrastructure is an excellent niche for developing this technology because of the geopolitical need to protect the nation. And, as the technology matures, changes will be felt across industries, inspiring a new era for organizations and consumers.

About the author
A graduate of Carnegie Mellon University, Juan Vargas started his career doing data analysis at Intel before focusing on automation and control systems at Emerson Electric and finally becoming a cybersecurity expert for those systems. He has worked with most control systems in power generation and on various projects for all of the top 10 utility companies in the United States. Vargas can be reached on Twitter @JuanVargasCMU.

Dig Deeper on Data security and privacy