The cyber security blind spot: business logic monitoring

“Every organization has a soft underbelly: they have invested in information security products that do not understand their business. These products are one-size-fits-all approaches that miss attacks, defects and administrative errors an intern with two weeks on the job would have spotted. Specifically, these are violations in the business logic – the order of operations among internal systems which are readily – if you care to look – in all operational and industrial IT.”

– Tyson Macaulay

CTO Decision-Zone, FMR CTO Intel Security

IntroductionConventional security is based on Next Generation Fire Wall (NGFW), Intrusion

Prevention Services(IPS) and Security Event and Information Management (SIEM)

consuming more resources and providing less benefit relative to the force and ve-

locity of attacks. More efficient and elegant security solutions are required.

Message Bus Security using Deep Message Inspection is the next generation of

security monitoring technology, bringing efficiency and scalability to enterprise IT

and IoT architectures, at once.

Cyber threat: a new scope and scale of attack.Things are getting worse, not better in the world of cyber security. Not only do we

have to deal with the “old world” of malicious hackers and spies, but we now have

the “new world” of IoT which brings a host of new vulnerabilities. Conventional

security does not effectively scale to the world of IoT, where data volumes are

growing relentlessly. Add to this the fact that IoT often has a safety-critical element:

property can be damaged and people physically harmed on the basis of cyber

attacks. But building a firewall into an IoT infrastructure such as datacenter

or network, let alone on the IoT device itself, is impractical for reasons of both

cost and efficacy.

Conventional security technology is increasingly simply outclassed by the scope of

IT and IoT operational information and the massive volumes and time-sensitivities

of these data flows. An alternative to adding yet more NGFW/IPS and SIEM is to

compliment these perimeter-solutions with Decision Zone products operating at

the level of the messaging bus.

What is a “message bus”?Message bus technology has been around since before the Internet – dating

to the earliest use of electronics in industrial applications. It is essentially a

communications path for instructions and information shared among interrelated

end-points. For instance, among the web servers and databases in a datacentre

/ Cloud, or between the rotation monitors on the wheels and the display

(speedometer) that the driver sees. A message bus is not the Internet. It is past the

internet, inside the DC/Cloud (sometimes referred to as east-west traffic) or within

the device itself (such as a car-area-network). See Figure 1.

The cyber security blind spot: business logic monitoring

2

Figure 1: What is a message bus

Conventional security products like NGFW/IPS and SIEM do not operate on the

message bus, either in the DC/Cloud or in the IoT. And even if they did – they would

be inefficient, expensive and probably break the system or process they are trying

to protect. What these products do is filter network traffic or crunch through logs

looking for pre-defined “bad” or suspicious combinations of logs and events. While

the message bus is definitely a form of network, it is a rarified network intended

specifically to manage the “business logic” of a service or system. NFGWs/IPS and

SIEM are not intended to understand business logic; therefore a message bus is

simply another network to be treated just like the Internet.

What is business logic?Referring to Figure 1: business logic is the order-of-operations applied in the

communications among the component parts of a system or service or device. This

is sometimes called the “State Machine”: who should speak and when in order to

generate a specified outcome. For instance, Service A must start a process with a

message to Service B. This triggers a message to Service 2, from Service B. Service

2 then messages Service A with the “result” of the process. Service A then delivers

the final result: it may be a web page with account information delivered over the

Internet, or it may be pedal pressure that results in brake calipers slowing a car.

In both cases, the order of operations – the business logic – is clearly defined and

invariable under normal conditions.

Abnormal conditions are often apparent in the message bus through deviations or

violations in business logic. Some abnormal conditions can only really be detected

through deviations and violations in business logic.

ERP CRM

Messaging FlowsMESSAGE BUS

Data Centre / Cloud – Service Oriented Architecture

IoT Industrial Network or onboard device

Service or Device 1 Service or Device 2 Service or Device 3

Service or Device A Service or Device B Service or Device C

3

Cause versus effectMonitoring the message bus and business logic is looking for EFFECTS versus

possible CAuSES, that may or may not result in a negative effect.

Conventional network security is about monitoring for millions and millions

of known, potential threats – the causes and indicators of compromise (IoCs).

unfortunately, these systems consume vast resources in this effort and yet have no

awareness of what a business effect would look like because they don’t understand

the logic of the message bus. They don’t understand the state machines which

underpin the means of production and creation of value.

Figure 2 compares conventional security monitoring (NGFW/IPS and SIEM) versus

Decision Zone business logic monitoring, and the direct effects on the creation of

value in the business.

Monitoring for the effects rather than the causes provides an efficient approach to

real-time business and security management not seen in conventional approaches

to security such as NGFW/IPS or SIEM.

State machines represent the operational inter-system communication

messaging model aligned to business policies and procedures. Malware, systems

defects and administrative errors are detected as invalid permutations of business

logic. The permutations comprise the order of operations or the business logic in

state machines.

CharaCteristiCs iPs/DPi sieM DMi

Form factor (Hardware Appliance/Software) Hardware HW+SW Software

Layer 3,4 (network, transport) mitigations ●

Malware Signatures (100’s of millions) ●

Attack Signatures (10’s of thousands) ●

Threat Intelligence (10’s of millions of entries) ● ●

Layer 7 (payload) inspection ● ●

Historical analysis – log retention ●

Custom Event correlation ●

Insider threats ● ●

Zero-day threat ●

Business logic deviations ●

Maintenance and Defects issues ●

Administration Errors ●

4

CaU

ses

eFFe

Cts

Figure 2: Monitoring Effects versus Causes

Decision-Zone monitors the message bus for the correct order of operations to

detect and remediate malware compromises, system defect or administrative

errors for real time business and security management. This is a departure from

the current historical approach to business and security management, where

millions of permutation causes are first modeled and monitored inside databases

for compromises.

Figure 3: Monitoring the effect of compromise, defect or administrative errors

By monitoring the effect (order of operations problem) Decision-Zone can identify

the specific cause by referencing the state machine. Current approaches must

associate millions of cause permutations with the problem and monitor all the

cause permutations to identify that problem.

Decision-Zone markets products to discover, secure and automate business logic on the message bus.

For more infirmation, visit www.decision-zone.com or email sales@decision-zone.com.

CONVENTIONAL Signature Monitoring

Monitoring The Cause Monitoring The Effect

Detect the CauseDetect the Problem

DECISION-ZONE Business Logic Monitoring

E Cyber Attack

E System Defects

E Administrative Errors

Equipment Process People

Materials Environment Management

Secondarycause

Primarycause

Problem

5