A “VAST” Step Forward in Cyber Security

March 7, 2017
By: Wallace Ravven

Some attack for money, some for power. Whatever the motivation, the invasions can change lives, and even history. 

Vern Paxson
Vern Paxson and his team build on 20 years of experience to effectively understand and combat today’s cyber security threats. Photo: Peg Skorpinski

The Russian hack of Democratic strategists’ email accounts caught the Clinton campaign off guard, and may have swayed the election. Two years earlier, Russian hackers stole more than a billion passwords, exposing personal, corporate and government communications around the world.  

Vigilant cyber security analysts at large companies and government agencies try to quickly isolate breaches to prevent a cyber contagion within their organizations.

Twenty-two years ago as a Berkeley computer science graduate student, Vern Paxson devised a potent security tool he called Bro, now used worldwide to instantly capture the torrent of communications that a hack might compromise. 

Bro functions like a flight recorder, says Paxson, now a Berkeley computer science professor.  It collects huge volumes of log data  — “a fire hose of data at the border between your site and the rest of the public internet,” Paxson says. What Bro doesn’t do is index the information for quick access and exploration. That forensic task falls to the analyst, and in the age of Big Data, analysts often need to search terabytes of data to figure out the extent of an attack.  

With support from the Signatures Innovation Fellows Program, Matthias Vallentin, a postdoctoral researcher working with Paxson, is developing VAST, a system to empower the forensic task by helping analysts pinpoint how much of an organization’s computer network has been compromised, and where.

“VAST helps the analyst prioritize the investigation of a security breach.  It’s peeling the onion,” Vallentin says. 

“You start off with the first hint. It could be an anomaly in the system. But then, digging in, you need to follow the thread to discover the scope of what happened. That is the forensic process that VAST supports.” 

VAST works with analysts in a very interactive way, Vallentin says. “The analyst can say, ‘I need to go back to a month ago, and see if the same type of hack I see here occurred back then at a different site.’ VAST can access the data almost instantly.” 

Paxson and Vallentin work very closely with cybersecurity experts at UC Berkeley’s DOE-funded Lawrence Berkeley National Lab, an institution with both extraordinarily high data volumes and a range of pressing security needs. 

Matthias Vallentin
Postdoctoral researcher Matthias Vallentin is developing the network forensics platform VAST to increase analyst productivity while investigating security breaches. Photo: Peg Skorpinski

The partnership is ideal, Paxson says, since it provides LBNL with potent new cybersecurity tools and at the same time serves as a test bed for even quicker, more powerful strategies to support such an institution. 

Once an organization’s security team identifies a suspiciously large connection to an unknown external machine, an “onion peeling” cybersecurity search might continue something like this, Vallentin suggests: 

“Maybe the external machine also appeared in a phishing email, which contained a PDF attachment. Not only that, but the PDF also includes a malicious payload, which upon opening, sends sensitive information from the employee’s computer to a cyber criminal.  VAST supports this iterative process to reconstruct the complete picture and presents it on a platter.”  

Bro was developed as an open source platform to encourage widespread use. It is now a key part of the operational security systems of tens of thousands of organizations worldwide, including Fortune 50 companies and many government agencies, Paxson says.  He and Vallentin intend for VAST to be an open-source product as well.  

“This makes it very easy to grow a community,” Vallentin says. “Once it is established and providing network security, business opportunities arise when you consider ‘what can we build around it?’ That’s where the commercial potential is.” 

“We are already talking with venture capitalists about what would make a viable product strategy. Who are the potential core users? What product will we market down the line? How do we package it to make it attractive and easy for users? These are business strategies independent of the technical solutions VAST offers.”

The Berkeley cybersecurity startup Corelight provides one model for the possible commercialization of VAST. Paxson co-founded Corelight to produce enterprise products based around the open-source Bro network monitoring software. While Bro remains freely available under a BSD license, Corelight has developed integrations and advanced features required by large companies.

Vallentin’s long-term vision is to make VAST a “robo investigator” to automate much of the interaction with security analysts to make it a continuously running process at every enterprise. 

“This will free analysts to tackle other threats. There is an incredible shortage of analysts. Usually they have a queue of security threats to investigate — often 100 or more. Anything that saves them time will save money and allow them to switch to harder problems.”  

____________________________ 

The Signatures Innovation Fellows Program supports innovative research by UC Berkeley faculty and researchers in the data science and software areas with a special focus on projects that hold commercial promise. 
For more information, see http://vcresearch.berkeley.edu/signatures/about.