NODES 2022: David Bader Declares, No More Perimeters in Networks

Cover image of the ruins of Donnottar Castle in Aberdeenshire by Schlapfm, licensed through Creative Commons.

See “Security and Velocity Through Declarative Ingestion” with Zach Probst, senior security software engineer at software provider Intuit, live during Neo4j’s NODES 2022 live streaming webcast at 2020 GMT / 3:20 pm ET / 11:20 am PT Wednesday, November 16. Registration for the 24-hour live, worldwide event is free.

Up until three years ago, David A. Bader was the Chief Data Scientist at Atlanta-based Ionic Security, just before its acquisition by customer data platform provider Twilio. Its initial product was an on-the-fly data encryption system. Ionic deliberately eschewed the more transactional, responsive approach to organizations’ security posture, opting instead for a policy that presumed, as a default state, that all data and all hosts in a system were already compromised.

Long-time readers and customers of Neo4j will be familiar with Prof. Bader, whose public declaration four years ago that graph databases were now mainstream, we sincerely appreciated. Then at Georgia Tech, Bader noted that graph databases were being put to work solving real-world problems. Now a distinguished professor at New Jersey Institute of Technology, he has been the driving force behind the US Defense Dept.’s DARPA program HIVE — Hierarchical Identify Verify Exploit. In recent years, HIVE has devoted itself to devising novel architectures for addressing graph constructs in memory, by way of hardware accelerators such as Micron’s Automata chip.

In advance of Neo4j’s upcoming NODES 2022 virtual conference, we sat down to catch up with Prof. Bader, to find out if that mainstream wave he confidently declared in 2018 has found its way to the cybersecurity space.

David Bader: The whole premise for the company [Ionic] was that every organization is compromised, every host is compromised, every computer, every network. And now, [its time to] protect your crown jewels. It inverted the security model, where there was no perimeter, and going forward, we have no perimeters. Everything is compromised. Now we have to find ways to protect what’s key [to us]: our data.

There is [still] work for graph analytics. Graphs may try to understand both how networks behave, but also how data moves around — how users interact with that data. What is the lifecycle of data? Graphs are very helpful for answering those types of queries, when data is now what we’re trying to protect. Our organization already has no border. But how do we protect our people and our data?

How Do You Graph a Perimeter-Less Network?

Scott Fulton, Neo4j: Have you developed your own regular presentation that you have to present annually in front of DoD people? “Our world has no perimeter anymore! It looks more like something out of Buckminster Fuller’s Synergetics: a bunch of [associative] triangles stuck together.”

David Bader: Yea, I had a lot of those conversations ten years ago. And I think most in cybersecurity realized — if you talk to any leading CISOs, you’ll find there is no perimeter. Of course, there are organizations that do try to establish security perimeters, but they tend to be the most sensitive organizations — governments, the FinTech sector, banks, investment banks, and the like.

But outside of that, more and more, we have “bring-your-own-device to work,” and especially with the pandemic, we have more reliance on communications tools that have to break through our perimeters. For instance, we’re talking right now on Zoom. But we’re using third-party apps to communicate. And there’s a variety of different ways where we need to share information. We have other tools where more data is going into the cloud. Maybe we’ve switched to Google Sheets, rather than having an Excel spreadsheet on our desktop. So we’re relying on the cloud for productivity. But every time we do that, what that means is that we basically have less and less knowledge about how data is moving between our organization and other parties out there.

So this conversation, I think, is now more mature. More CISOs understand, and they’re balancing their risk with their ability to do business in this new world.

Scott Fulton, Neo4j: Well, if CISOs understand their world more maturely, are they understanding it in a way that is representable as a graph? And do they know it’s representable as a graph?

David A. Bader: In some areas — for instance, understanding network traffic, and is data being exfiltrated? Are we being exploited? — that naturally [maps to] a graph analytic. Our resources are vertices, our communications are edges.

But there are other ways of viewing this for CISOs. For instance, I served as a lead scientist in the DARPA ADAMS [Anomaly Detection at Multiple Scales] program that was looking at finding insider threats such as lone wolf actors within organizations. Insider threats are trying to find people who may be breaking policy; they may be changing their patterns of life; they may be trying to exfiltrate customer records, or even the crown jewels: source code and other IP. Being able to identify those types of individuals also can be handled with graph analytics. . . to try to understand, what is normal, and then what’s an anomaly or an outlier.

Photo of a segment of a D-Wave quantum annealing system semiconductor wafer by Steve Jurvetson, licensed under Creative Commons 2.0.

Chain of Events

Scott Fulton, Neo4j: It’s been my experience that organizations tend to not even start talking about the subject of insider threats, until they start feeling skeptical about the idea, “Maybe we have an insider threat right now.” Rather than proactively doing insider threat analysis, prior to the time where they have reason to become skeptical.

David Bader: That’s right. I think leading organizations with workforces of 50,000 people or more clearly know that, at any given time, one percent of their workforce may be malicious, or may have low morale. You always have to protect against that. But we always hear the old adage that there are two types of organizations: ones that know that they’ve been compromised, and the others that say they haven’t been compromised, but have been.

I think now, most substantial organizations do realize these are ongoing threats. Of course, publicly, many organizations don’t want to admit that there’s risk. If you were trying to build public trust in your organization, the last thing you want to have happen is for that trust to be eroded. However, there are organizations where they found it’s better to essentially report or come clean. There’s also new consumer regulations that require and compel organizations to release, for instance, any time your personal information has been breached at a company.

This really has become something in the public eye. Although, at this point, we’re numb to having our data breached. I can’t think of a system I use where the data hasn’t been breached. It used to be shocking; now, a breach is five minutes of news, and everyone moves on.

One area that’s getting a lot of attention, both due to the supply chain issues we’re seeing due to the pandemic, and also for the fact that, in 2021 and early 2022, we had some very novel types of supply chain breaches within open-source software. These were parts of the supply chain that we had for software, that nobody would consider as significant. Yet they impacted systems, governments, large organizations. In the news, we see that 90 percent of the chips for our devices are being produced in Taiwan at TSMC. Ten percent are being produced by Samsung. That’s a supply chain where one disruption would impact every industry. That’s the reason why the US is supporting the CHIPS and Science Act, that will put $52 billion in trying to establish new fabs in the United States. But semiconductors are the new oil, and this limit in the supply chain has huge ramifications.

I think this awareness is leading companies to start thinking more, “How can I use graphs to understand my supply chain?” Whether it’s the next variant of COVID; the Russia/Ukraine conflict; a new policy that takes place in Europe that may impact trading; our relationship with China — what does that mean for the manufacturers in the US that are relying on these very complex supply chains to build their products? Or large organizations, or even governments trying to understand that supply chain?

This is an area where there’s going to be growing need, not just for the largest organizations and governments, but for everyone to understand the supply chain. We’ll need it for understanding food production better. We’re facing unprecedented climate change, and we have so many areas that impact basic life, where understanding those supply chains really will impact our day-to-day health, and our ability to survive on the planet.

See “Bluehound: Community-Driven Security Based on Neo4j and NeoDash” with Dekel Paz, senior security researcher at Zero Networks, live during Neo4j’s NODES 2022 live streaming webcast at 0850 GMT / 0950 CET Thursday, November 17. Registration for the 24-hour live, worldwide event is free.