In a moment of vain weakness, I recently typed my name into Wikipedia – and to my surprise, I got one modest hit. Nearly a quarter of a century ago, I wrote a chapter on the use of threat trees in my first computer security textbook, and apparently, someone noticed. The result is my one little reference (it’s actually two) in the Encyclopedia of Planet Earth. I will admit that for someone who has authored six books and a zillion articles, this has its bittersweet ironies.
Despite such wild accolades, when lecturing today on threat analysis, rather than sketch a threat tree, I am much more inclined to use a threat-asset matrix as the basis for cyber risk modeling. The columns of the matrix will correspond to the familiar CIA taxonomy, while the rows will correspond to the valued assets of the system, network, or business being examined. And increasingly I’ve noticed that these rows are often just a long list of applications.
This observation matches my own experience starting a business. That is, one must first identify the functions necessary to be a successful capitalist – namely, invoicing, payroll, email, storage, calendars, customer service, and on and on. And then, for each of these, one simply selects a suitable app. For little companies, this means finding apps in the cloud. For larger entities, the selection, development, and procurement are a bit more involved – but the result is the same.
I had this concept on my mind last week while enjoying Indian food from Hoboken’s Karma Kafe with two of my good friends: Sameer Malhotra of CIX Software and Jennifer Bayuk, principal of a consulting firm under her own name. During our lunch, Sameer was explaining progress on his fine BUSHIDO platform, when he said something I considered profound. “We built our platform to secure business apps,” he explained, “because in many cases, your business is your apps.”
The way BUSHIDO works is that it embeds itself into the run-time environment of your business application and then pushes out telemetry based on advanced analytics. This is also profound, because it supports two of the primary cyber security requirements of any business: Real-time analysis and live mitigation. Both are wrapped in automation that creates an environment of detection, prevention, and support for rapid incident response.
Because the CIX Software team is located just stone’s throw from my classroom at Stevens, I’ve had the opportunity to visit their offices several times. And each time, I’ve learned more about how their developers are truly pushing the envelope with their security algorithms. One area that is particularly impressive involves their technical solutions for real-time application self-protection, also referred to commonly in our community as RASP.
“We’ve tried to focus on visibility, application profiling, behavioral analytics, and support for incident response workflow,” Sameer explained. “This allows our customers to implement advanced protection initiatives for their applications. This includes dependency mapping, compliance monitoring, and even support for creating micro-segmentation around enterprise applications – which really helps companies address de-perimeterization.”
My advice is this: It’s time to recognize that your businesses is no longer valued primarily on your tangible assets. This is true for every sector – even ones with massive brick and mortar operations (think Amazon.com). Instead, your business value is much more likely to be based on its virtual capabilities. That is, business value is now based primarily on the quality, power, appropriateness, and yes – the security of your applications.
With this mindset, I think it makes perfect sense to consider implementing a more powerful and automated security solution for your applications – and I am personally kind of partial to self-protecting approaches. So, give Sameer and his CIX Software team a call. And if you visit their offices, ask him to order up some nice box lunches from Karma Kafe. I think that food puts Darbar in Palo Alto to shame.