Security Experts:

Dark Space: What You Don’t Know Can Hurt You

It’s funny how often, as I go about my day job in network security assessment and risk management, I run into parallels with other fields. One good example comes from cosmology (although I suppose I should be careful using words like “parallel” about the people who worry about the curvature of space).

Physicists were interested to measure how quickly the expansion of the universe was slowing down – it had to be slowing down, due to gravity, but the question was “how fast?” (Answering that would indicate the fate of the universe – the choice between the so-called “big crunch,” and the equally un-tempting “heat death.”) So they looked into ways to measure deceleration – they gathered data on objects further and further away (and thus further and further back in time), expecting to pick up the inevitable slowing down that had to be there.

Network Security Dark Space DefinitionAnd what did they find? Exactly the opposite of what they expected – the universe is actually accelerating! This effect now goes by the name “dark energy” – a mysterious force pushing space apart. It added another enigma to the earlier discovery of “dark matter” – mass that we can tell is out there, making up most of the universe, but that we just can’t see. (We don’t know what dark matter is made of, but that doesn’t stop physicists inventing cute names for the particles involved, ranging from the WIMPs of one theory to the contrasting MACHOs of another.)

So what does this have to do with network security? Well, by a similar process, some of us set out to measure risk posture – to see how well organizations were defending themselves by reducing their effective attack surface, promptly patching newly discovered vulnerabilities, and generally striving to be a “hard target”. We knew what we were looking for – attack paths across a network, built up into attack chains. And sure enough, we found them – lots of them. So many, in fact, that we had to re-design our early visualization displays so they didn’t just turn red all the time – so much risk, so many ways to break in, that it wasn’t immediately obvious how to pick the highest risk contributors. We’ve figured out how to show that now. Life lesson: if you’re looking at fireflies, you might want a magnifying glass, but if you’re looking at searchlights, it’s not such a good idea.

But that wasn’t the big surprise – we were looking for risk, after all, and we found quite a bit more than we anticipated. The deeper, unspoken assumption we had – similar to the physicists who knew they were looking for deceleration – was that customers would have good network data collections. After all, doesn’t every operations team keep a good inventory, just for daily break/fix work? Even if not, don’t security audits guarantee you’d have a decent repository of configuration data? Experience says no. Every network we set up in our model would turn out to be incomplete – sometimes just a little ragged around the edges, other times it would fall apart into separate islands, showing that much of the key infrastructure was unmanaged.

I credit John Stewart, CSO of Cisco, for applying the term “dark space” to this problem. He’s quite right – it’s become a universal we find in all networks, whether civilian or military, enterprise or small, cloud or private. He pointed out that the network security visualization we had built gave security teams new insight into the data they had, but that it was also somewhat distracting. Shining a bright light on the known network is compelling, but what John wanted, as a CSO, was a way to focus on the un-seen, the invisible.

It sounded like a tall order, but over the last couple of years, we’ve found several ways to do this. And sure enough, as soon as you look at the problem the right way, you begin to realize how much you were missing. We’ve found that every security team has “known unknowns” – assets that are out of sight, not properly monitored or tracked, but detectable nonetheless due to their impact on other assets you can see. This is comparable to the physicists’ dark matter – we can tell it’s there through gravity that indicates there’s mass we’re not seeing. It’s making galaxies spin faster and cluster more than they otherwise would. Beyond these effects, it’s proving to be really elusive stuff. The good news in security is our kind of “dark space” is generally quite easy to shine a light into, once you know to look. We’ve found that existing security datasets can be used to locate missing information. I’ve seen security teams exploit this quite effectively: starting from a limited dataset, they looked for references to missing objects, gathered those configurations, added them to the dataset, and repeated. After a few iterations of this process, the “dark space” shrank away, increasing the team’s ability to see what was going on.

So the bad news is that dark space is everywhere – it’s a major challenge to security teams in every network we’ve seen. The good news is the problem can be solved, and complete coverage can be achieved. A number of benefits follow – not the least being the basic utility of having a solid map of your infrastructure. We’ve seen a great many other payoffs from investigating “dark space”; some we intended, such as the ability to accurately model risk and manage attack surface. Others continue to surprise us – one organization used maps to help with sensor placement, which we hadn’t anticipated. Another has turned the maps they generated while hunting “dark space” into resources for training new hires, showing them the security architecture uncovered along the way. The surprises continue – as any applied scientist will tell you, the most important step is to start looking!

view counter
Dr. Mike Lloyd is Chief Technology Officer at RedSeal Networks. He has more than 25 years of experience in the modeling and control of fast-moving, complex systems. He has been granted 20 patents on security, network assessment, and dynamic network control. Before joining RedSeal, Dr. Lloyd was CTO at RouteScience Technologies (acquired by Avaya), where he pioneered self-optimizing networks. Lloyd was previously principal architect at Cisco on the technology used to overlay MPLS VPN services across service provider backbones. He joined Cisco through the acquisition of Netsys Technologies. He holds a degree in mathematics from Trinity College, Dublin, Ireland, and a PhD in stochastic epidemic modeling from Heriot-Watt University, Edinburgh, Scotland.