Racing to keep ahead of the bad guys

As computer technologies develop, HP Labs researchers are looking for new ways to keep them secure

By Simon Firth

Martin Sadler, Director, Cloud and Security Lab.

Martin Sadler, Director,
Cloud and Security Lab.

“The bad guys are getting more clever by the day,” says Martin Sadler, director of HP’s Cloud and Security Lab.

Individuals, criminal organizations and even rogue governments looking to infiltrate, corrupt or steal from modern data networks are increasingly well funded, he notes.  It means they can afford to hire exceptionally talented people.  And they’re able to access increasingly sophisticated tools.  “There are a lot of people out there actually developing tools for attackers now,” adds Sadler.

At the same time, global trends in technology, such as the rise of cloud computing, and in legislation, where new laws are enshrining individual rights to privacy, are creating a wider array of new vulnerabilities.  

The result is both confusion and growing expense.  IT system owners and administrators often aren’t certain where they are most vulnerable – and as a result, they end up spending considerable sums on privacy and security measures without knowing whether it’s money well spent.

It needn’t be that way, believes Sadler.

“As we address these new risks,” he says, “the important thing is that we take a rich context into account.  Then we can use decision engines and sophisticated modelling techniques to determine the right solutions to apply for each case. As a result of the work we’ve been doing at HP Labs, we have solutions in both areas - privacy and security - that allow you to do this.”

A tool to manage privacy laws

Siani Pearson, Senior Researcher, Cloud and Security Lab.

Siani Pearson, Senior
Researcher, Cloud and
Security Lab.

Privacy and security are two sides of the same coin.  While organizations – whether corporations, government agencies or NGO’s – need to ensure that their own data remains secure, they are also typically held legally responsible for maintaining the privacy of information they hold about customers, citizens or employees.

Meeting that responsibility can be a struggle, however, both because privacy laws are evolving rapidly and because they vary enormously across the globe. 

“It’s especially problematic for multi-national companies, where you have global businesses,” says HP researcher Siani Pearson, who’s spent the last couple of years investigating the issue. “It can get very complex in deciding which regulations and laws will apply.”

As a consequence, corporations often find themselves on the wrong side of privacy laws, Pearson explains. “Say you’re awarded a deal where you promise to put a data center in a particular country,” she says, “and you only afterwards find out the country won’t allow data to be used as you’d planned.  Now you’ve got to move the centers and you can lose a lot of money on the deal.”

To address this, Pearson and colleagues in HP’s Cloud and Security Lab have created the HP Privacy Advisor. Currently a pilot program being tested internally by a group of HP employees, the Privacy Advisor is an online tool that allows its users to establish early on whether a proposed course of action will clash with national – or HP’s own – privacy standards.

Automating the privacy compliance process

Developed in close collaboration with HP’s corporate Privacy Office, the Privacy Advisor is in effect an advanced decision support engine. Users work through a series of questions generated automatically by the Advisor.  Early in a project, the engine can flag proposed actions that conflict with HP’s or a particular country’s privacy rules. Once projects are established, it can be used to document that a particular project complies with any particular set of regulations.

Creating the Advisor required developing an artificial intelligence expert system that was predictably accurate, which is not a characteristic of conventional AI systems.

“There really is nothing else like this that is as reliable, or as complex, as we need it to be and that works for people with no privacy knowledge whatsoever,” says Pearson.

Automating both the querying and certification of privacy compliance makes a huge difference, adds lab director Sadler.  “A big reason companies have privacy problems is because they don’t bother trying to comply, because it’s just too difficult or too expensive to do. The HP Privacy Advisor addresses both those problems.”

Data protection – everyone’s responsibility

An important characteristic of the HP Privacy Advisor is that it offers a clear indication of where a proposed project sits along a spectrum of risk.

That lets non-experts understand the degree to which they risk violating privacy rules or standards, and it allows members of HP’s Privacy team to focus their attention on the highest risk cases – thereby maximizing compliance while also efficiently directing the available human resources.

“It’s also a way of making privacy data protection everyone’s business in a company,” adds Sadler.  “It’s not an R&D question or a marketing question.  It’s everybody’s concern, because these days everyone touches customers one way or another.”

In Sadler’s opinion, the same is true for the security of a company’s own data.

Just as employees in corporations and governments increasingly have access to large sets of customer or citizen data, so their use of new technologies – cloud computing, the internet, wifi, USB memory cards etc. – is shifting the kinds of risk that organizations face as they try to keep their own data secure.

It’s led to a host of new ways in which the ‘bad guys’ can attack, Sadler explains.  And it’s made it harder for organizations to know where they are most vulnerable – and thus be able to get the best return on the considerable sums that they currently spend on securing their IT.

“What’s required,” says Sadler, “is a two-fold response.”

“The first is kind of obvious,” he says.  “It’s where you use analytics to look at the massive amount of data coming off your networks and ask: am I under attack or not? If I’m under attack, what kind of attack is it?  And can I find very, very clever, sophisticated attacks in all this data?”

HP works in that space, he says, along with many other companies.

Investing in security automation

The other response, explains Sadler, “is to ask: ‘Can I be more structured in the way I think about risk?’” 

That’s less common and much harder to pull off, he believes.  But in a recent project that teamed HP researchers with a major American investment bank, Sadler’s team created an analytic toolset that lets an organization model the security risks they’d face if they took a particular course of action.

As a result, organizations can make much more rational decisions about where they spend their security budget and how much they allot to each area.

“It basically takes things back to economic tradeoffs,” says Sadler.  “If I put more money in, do I make my environment more secure or it doesn’t make a lot of difference?”

In many organizations, though, security threats are still ranked based on little more than hunches.

“We’re trying to get this from being a back-of-the-envelope calculation to one that is based on some hard data,” says Sadler. “We think of it as the beginnings of how you start to put science, if you like, into this whole security life cycle and start to really join it up.”

An entire Security Analytics toolset created by the HP Labs team is now available to HP customers through Vistorm, a security services company acquired by HP’s Enterprise Business unit in 2008.  

“The goal is to automate security,” says Sadler.  “And you can at least start to get there if you understand the tradeoffs you are making.”

Solutions that work and inspire trust

Automating security intelligently promises to reduce vulnerabilities and save money at the same time.  But it also promises to increase the levels of trust that people have in each other and in the organization that holds the data.

In a world in which the bad guys are getting cleverer all the time, that’s essential, says Sadler.

Increasingly, he believes, “everything we see around security and privacy is also about getting buy-in.  It’s not enough to have the solution -- you have to convince people you have the solution.  I can’t say, ‘I’m trustworthy, so give me your data in the cloud.’  I have to convince you.”

As much as it’s directed towards enabling better decisions to be made with fewer resources, Sadler says, HP’s security and privacy research is also very much about establishing how that trust can be grown.