Peace of Mind: Anomaly Algorithm Enhances Seccuris Managed Security Service Offering
By Linda Forrest on Jul 9, 2012 / Categories: Blog, Partners
The following post was original published on the website of CDMN Node TRLabs and is re-posted here with permission.
There’s been much talk in the last year about the 99% and the 1%. Beyond Wall Street, if we upped the ante and applied a 99.99% security rate to a corporate network, it’s been said that in the U.S. 880,000 credit cards would have incorrect cardholder information on their magnetic strips, two planes at Chicago’s O’Hare airport would have ‘unsafe’ landings each day, 12 newborns would be given to the wrong parents each day, 315 entries in Webster’s Dictionary will be misspelled, and 18,322 pieces of mail would be mishandled every hour.
Confidentiality, integrity, authentication and availability are cornerstones of corporate trust in its network(s), and customer trust in placing their data within systems. The trouble is trust is exponentially difficult to achieve in a world of increasingly sophisticated intruders.
Enter Seccuris (est. 1999), a Winnipeg-headquartered provider of turn-key Managed Security Services (MSS), and a leader in information assurance research and solutions. Initiated as a TRLabs/Seccuris research project in 2009, a Behaviour Anomaly Algorithm and prototype software was commercialized into Seccuris’ MSS offering in the Fall of 2011. The MSS offers 24/7 IT security services to customers who have elected to outsource their IT security monitoring and management. Installed between the client’s network and the Internet, the MSS manages all monitoring, collection and log transmission activities for the various computing devices on the network. The solution aggregates and normalizes log data and alerts through encrypted channel to the client’s security devices. Data mining and correlation activity enables Seccuris to remotely analyze data for anomalies and signs of malicious activity.
The TRLabs research team built a computer model that learns and characterizes ‘normal’ system behavior – which is a beneficial benchmark that can be evaluated in combination with trigger information from traditional IT security sensors to help better identify conditions for IT security event escalation. Construction of the model required computer interfacing, and programming and statistical and behavioural modeling activities. The new algorithm operates with the information captured by the MSS database.
|“A security breach of RockYou.com revealed that 290,731 users, or almost 1% had chosen the password ‘123456’.”Src: www.afactaday.co.uk/2010/01/interesting-fact-1238-internet-security.html
Seccuris Director of Research and Development Paul Card says the algorithm has been a robust addition to the MSS, now deployed to monitor 500,000 hosts across Western Canada. “The algorithm has detected advanced persistent threats (APT) in four customer environments in the past 16 months, detecting intruders that wouldn’t have been detected with traditional signature-based techniques.” Paul adds that the algorithm is a differentiator in the information assurance market, generating a competitive advantage for Seccuris.
TRLabs President & CEO Rob Tasker says the research collaboration also demonstrates a key TRLabs value proposition – access to talent – as he notes that Paul Card spent many years at TRLabs as a researcher, and was the research lead on the Seccuris anomaly algorithm project. Two additional former TRLabs students have been recently hired by Seccuris. “We’re unusual in that many – almost 1000 people since 1986 – join TRLabs for a period of time as students, staff, or researchers, then leave to populate Western Canada’s ICT sector with knowledge leaders,” Rob says. “We succeed when applied knowledge is diffused into the marketplace.”
|We make sure 99.999% of the pixels in our screen are in perfect working order. It’s that last .0001% that keeps us up at night.Fujitsu Advertisement|
Seccuris will further leverage the algorithm with a move to extend the reach of information security services to small and mid-enterprise business customers who are often overlooked in the market due to service cost structure. In January, 2012 Seccuris and SaskTel formed a partnership to develop an Information Assurance Portal (IAP) that will provide a comprehensive set of information security services to smaller enterprise. The first release of the IAP is targeted for the Fall of 2012 (news release link – http://www.seccuris.com/documents/press_releases/Seccuris_SaskTel_IAP_NEWSRELEASE_25012012.pdf)
Seccuris has two active projects underway with TRLabs, with two further projects proposed. Projects underway are looking at taking the output of traditional monitoring technology and the anomaly algorithm and building a correlation engine that models each of network and adversarial behaviour. Proposed projects will look at moving solutions into low cost environments, and advancing state of the art in event correlation and network modeling.
|The total impact of data loss and industrial espionage related to network intrusion is notoriously difficult to quantify due to industry reluctance around releasing information related to data breaches. However, in 2011, the British Office of Cyber Security and Information Assurance estimated that cybercrime costs the United Kingdom £27 billion per year, of which £21 billion was lost by businesses, mostly to espionage and intellectual property theft. The FBI estimates ‘hundreds of billions’ per year in costs to the US. Closer to home, the Canadian Cyber Security Strategy estimates the economic losses associated with identity theft (which, for the UK data represent only 6.3% of the total losses) costs Canadians $1.9 billion each year.  www.baesystemsdetica.com/uploads/resources/THE_COST_OF_CYBER_CRIME_SUMMARY_FINAL_14_February_2011.pdf, accessed May 2012
 www.fbi.gov/news/testimony/cybersecurity-responding-to-the-threat-of-cyber-crime-and-terrorism, accessed March 16, 2012
 www.publicsafety.gc.ca/prg/ns/cbr/ccss-scc-eng.aspx, accessed March 16, 2012
Seccuris is also actively involved in the TRLabs ICT Security Ecosystem, a ‘collaboration of the willing’ (foundation partners currently include industry, education, and healthcare sectors; expansion of the ecosystem is envisioned to include industry consumers, ICT vendors, service providers, government, and academia) that has opted to research shared ICT security innovation challenges. An ongoing project is investigating a pathway for introduction of personal devices into the healthcare provider space. “The ecosystem is advantageous to Seccuris on many fronts,” Paul says. “It illuminates potential future business paths, provides access to researchers and students, allows for mindshare with customers and competitors, and pools resources in spaces where we’re not in competition with each other.”
Now the largest information assurance company in Canada, Seccuris has expanded to 88 employees (the R&D group has grown from one to 20 employees in the last two years) with operations in Toronto, Calgary, Victoria, and Regina, and consulting services in Washington, DC. Further near-term expansion into the U.S. is envisioned.