The Power of Provenance: From Reactive to Proactive Cybersecurity

by Frank Wei on August 15, 2022

While next-gen firewalls (NGFW), extended detection and response (XDR) and other security solutions do a great job of detecting and thwarting cyberattacks, it’s just too common for a sneaky or camouflaged threat to slip through into the network. Heroic efforts by the security team are then required to mitigate the damage and remediate the vulnerabilities. When you add in the high numbers of inaccurate security alerts and routine maintenance and management tasks for security solutions, too often cybersecurity professionals are forced into a reactive mode. Essentially, security teams become firefighters rather than fire prevention specialists.

Meanwhile, the hackers behind malware, advanced persistent threats (APTs) and other exploits are only becoming more sophisticated. Often, cybercriminals use evasive techniques to obfuscate an attack’s origins in an attempt to elude first-line security defenses. They might use anonymous networks, for example, or mask the IP address, deploy a botnet or use any number of other techniques. These methods obscure the true origins—or provenance—of the threat. A number of security methods, like blacklists, malware signature matching and others, rely at least in part upon being able to identify the origination point of an attack. The devious methods of disguise used by hackers might therefore escape detection by certain baseline security techniques.

Become Proactive Through Provenance Analysis

Provenance analysis is a relatively new field of research in the cybersecurity realm. Put simply, it uses vast amounts of log data collected by various network devices, standardizes and analyzes it, and peels back the layers of obfuscation to identify the real source of an attack. Once identified, a network attack can be blocked and/or terminated in real-time.

Rather than detecting an attack only after it has locked or corrupted network components, it allows security teams to become proactive—identifying threats before they can cause damage.

Currently, a number of existing security technologies like NGFWs, IPSs, WAFs and others support log aggregation, which allows log data to be examined across multiple dimensions. Security personnel can use log aggregation to identify suspicious anomalies or detect false positives, and then tune policies or take other actions.

While log aggregation is a valuable security tool, it does require human analysis and tracing of the root of an attack. It’s definitely a consideration when choosing security solutions. But it doesn’t quite rise to the complete definition of fully automated provenance analysis.

Cybersecurity Challenges Ahead

Before we can reach the full potential of provenance analysis, a number of big challenges stand in the way. For example, it requires a monumental amount of storage for all of the data that it takes in. Computing and network bandwidth overhead are also immense challenges that directly affect the practicality of provenance analysis from an engineering standpoint. Likewise, traditional network constructs and protocols aren’t typically designed to support provenance analysis.

Another area of concern is sensor network structures, like those used by the internet of things (IoT). While these architectures typically can feed log data into the provenance analysis engine, pushing mitigation and enforcement measures back out to IoT devices can be a challenge. With the proliferation of IoT devices in corporate settings, as well as their noteworthy vulnerabilities, effective cybersecurity for these devices only becomes more urgent.

Looking ahead, certain newer network architectures like cybersecurity mesh architecture (CSMA) and software-defined networking (SDN) can help make provenance analysis not only feasible but more widely available regardless of the legacy network infrastructure. In the interim, a number of the provenance analysis techniques—like log storage query and data packet marking—are likely to be packaged and become available sooner. These transitional solutions can then provide a pathway to more complete provenance analysis deployments in the future.

Provenance Analysis: What’s Next?

While provenance analysis is still in its infancy, it is an area of active research for academics, the network security industry and others such as the Alan Turing Institute. Although there are a number of obstacles and impediments to achieving a complete provenance analysis solution, the level of risk posed by APTs and other cyberthreats mandates a new way to defend against them. It’s a way for cybersecurity professionals to move from a reactive to a proactive stance—to transform from constantly fighting fires to preventing them from occurring in the first place.

August 15, 2022August 9, 2022 Frank Wei APT, cyber resilience, Cybersecurity, hacker, Malware, provenance analysis

Frank Wei

Frank Wei, Ph.D. is a research analyst at the Research Institute of New Technology (RINT) at Hillstone Networks based in the Silicon Valley. His scope of research spans deep neural networks, advanced threat correlation analysis, threat intelligence enrichment, and intrusion detection, among other topics in the network and cybersecurity space. Over the last few years, Dr. Yunchuan has published six academic papers (2 SCI-index), with one paper accepted at IEEE INFOCOM, and has been awarded nine patents. Dr. Yunchuan graduated from the Beijing Institute of Technology with a Ph.D. He has also been a visiting Ph.D. candidate at the University of California, Davis.

frank-wei has 1 posts and counting.See all posts by frank-wei