A dramatic time-saving innovation for device security validation
Protecting against cyber attack calls for a significant commitment of time and resource but one UK supplier has developed a new tool to free up manpower, as defence features writer Mark Lane reports.
States’ vulnerability to cyber attack is growing as greater interconnection between various government and military IT platforms demands a significantly higher level of resilience.
Like all forms of conflict, the war in cyber space is not just a technological arms race but also a question of resource and manpower.
Attacks come in the form of advanced persistent threats (APTs) and these attacks are driven not only by human assailants, but also by automated bots. The sheer volume of incoming threats is swamping human resources and the cyber skills gap continues to grow, with a predicted shortfall of 1.8 million cyber security workers by 2022.
Manual penetration testing of IT systems calls for a time-consuming line-by-line build review and configuration analysis of each device in that system to see if a firewall, switch or router is hardened against a hacker getting into it. It needs an examination of how all these interact and what weaknesses are there to be exploited, examining configured services, configured protocols and filtering rules – all of which might take between half a day and a day per device.
“in short, there is no possible way that somebody like a defence organisation with thousands of these devices can have the manpower to do that, so then they’re compromised on testing,” says Nicola Whiting, Chief Operating Officer of UK cyber security firm Titania.
“They say: ‘We’ll test it as we deploy it and then we’ll hope for the best or we’ll test x number out of a 100’. You’re making compromised decisions because there is no other way of doing it.”
This was the problem that Worcester-based Titania was set up to address in 2009 by founder and current Chief Executive Ian Whiting, who was then a penetration check team leader working for a number of large organisations including the Ministry of Defence. He wrote software to automate the process, Nipper Studio.
This product, according to Titania, reduces the day taken to validate the security of a device by manual testing to ‘a couple of seconds’. It reports vulnerabilities and gives instructions on how to address them.
“Penetration testers and check team leaders are the equivalent of your cyber generals, the people with all the knowledge who should be taking a helicopter view and saying: ‘Where am I going to be attacked next?’,” says Whiting. “Instead, by making them do build reviews, you’ve got them in a trench filling sandbags. It’s not good use of experienced people. If we can automate that process – which is what we do – you free up those generals to do what they’re better at, which is to do strategic things and to get ahead of the curve.”
Since its formation, Titania has grown from a start-up to a team of 50 people in offices in Worcester and Virginia in the US, with clients in more than 80 countries and with 90% of its business coming from overseas sales – the company enjoyed a 400% growth rate in the past year.
Last month Titania was announced as a 2017 recipient of the Queen’s Award for Innovation.
Defence and government is a growing market for the company and it now accounts for about a quarter of its business.
One of the most significant contracts Titania won was with the US Department of Defense (DOD) in 2011.
“They approached us and said we hear you’ve got this technology and we’d like to buy it,” says Whiting.
As a young company, Titania did not have the necessary certificate of networthiness, which is concerned with the identification, measurement, control and minimisation of security risks and impacts in IT systems and applies to all organisations fielding, using or managing information systems on the US Army’s networks. However, the DoD helped the company to get the certificate and then bought Nipper Studio – and the DoD has been a customer ever since.
The type of analysis performed by the DoD includes STIG (Security Technical Implementation Guides) compliance which describes how cyber infrastructure and systems should be secured.
“We realised that what they were using our software for was to get exact information, because to make a decision it has to be accurate and reliable,” explains Whiting. “We went and met with the DoD’s experts in penetration testing and in a period of six weeks we took our output and mapped it to the STIG’s – we were the first organisation in the world to do that. So then they could run our software against a configuration for, say, a Cisco firewall and it would report saying this is compliant or this is not compliant, this is how that needs to be fixed according to the DoD. Again, it freed up those generals in the trenches. It’s an instant upskill as well as saving vast amounts of time, and saving that time through automation is a win for everybody.”
The US cyber offensive programme also now uses Nipper Studio, the Department of Defense contract having been a springboard to other work.
“The DoD were our first defence customer,” says Whiting. “That started off with the Army, then the Air Force, then the Navy in various formats and the FBI. What tends to happen, particularly in America, is that contractors go in and work in the military and when people find good tools they tend to talk about them, so a lot of our growth has been organic. What that has meant is that the procurement process has been a lot simpler for us because they have either come to us direct or they have found ways to buy us. The people who have been the champions of our technology in the military have removed any potential blocks that we may have faced.
“Now that the volumes of licences are becoming so much larger – $500,000 at a time or greater – we are going through some of the procurement routes to make it easier. We are just coming to the end of applying for the GSA schedule, which can take about four months.”
GSA Schedule Contracts streamline the US federal government sales process with pre-established pricing, terms and conditions that government buyers can use to purchase from a company.
The contract with DoD led to further defence work elsewhere.
Whiting says: “As soon as we had that success in America it was easier for people to recognise that the US DoD were using us and we had a certificate of networthiness so we had been looked at in some detail.”
Titania has recently provided an add-on to Nipper Studio which allows the user organisation to schedule regular runs of the system at a frequency and timing of their choosing.
The next challenge is to automate the fixing of vulnerabilities in systems to stay one step ahead in the cyber war arms race.
If you would like to join our community and read more articles like this then please click here
The post A dramatic time-saving innovation for device security validation appeared first on Defence Online.