Why Cyber Defense Needs Software Behavior Transparency


By Ben Higgins, Distinguished Software Engineer

On May 12, 2021, the Biden Administration announced an executive order aimed at strengthening the cybersecurity of government and public sector programs. The executive order came in the wake of several major recent incidents, including the SolarWinds, Microsoft Exchange Server, and Pulse Secure CVEs, which impacted numerous federal agencies as well as private sector companies.

One primary focus of the cyber order is to improve the security of the software supply chain. Specifically, it will require vendors to provide a software bill of materials (SBOM)—a list of all third-party and open-source components used to build their software—in order to work with federal agencies.

While the SBOM would make it easier and faster for federal agencies to determine whether one of these dependent components subjects them to a vulnerability, it's not enough. Faster incident response does not protect against compromise across the supply chain. We need to take it one step further to demonstrate when software within the supply chain is at risk of attack.

We also need software behavior transparency.

A behavior transparency framework allows companies within the supply chain to detail the expected actions that the software will take on a device or on the network. This will help security analysts develop a baseline in order to distinguish between expected noise and indications of compromise and identify exploitation of unknown vulnerabilities in proprietary or open-source software.

In order to be effective, there will have to be buy-in from public and private sectors alike. Successful adoption will require standardization, ease of use, centralization, and feedback mechanisms.

Establish Standards
First, a working group of representatives from software and security software vendors, organizations like MITRE, and governing bodies will need to create standards for the types of network activity that must be included for full behavior transparency. At a minimum, this should include things like external network destinations, internal network connection behavior with other software components.

Availability and Usability of Behavioral Data
Second, known software behaviors should be published in a machine-readable JSON file that could be easily ingested into common security products—like security information and event management (SIEM), firewalls, endpoint protection platforms, network detection and response, and change management tools. This will help build baselines of expected activity to more quickly and accurately detect deviations that indicate compromise.

Centralized Access
Third, a clearinghouse for behavior transparency data should be established and administered by the Cybersecurity and Infrastructure Security Agency or another appropriate federal agency. A forum like GitHub is an ideal mechanism for such a clearinghouse, providing a widely used, centralized repository for this information.

Streamlined Feedback
Fourth, the clearinghouse should include a public feedback mechanism for reporting deficiencies in the behaviors to software vendors. Most deficiencies will be for reasons like a product update that wasn't reflected in the behavior transparency data, but there will also be true positives found.

Join our mission in pursuit of a more secure software supply chain. Sign up at www.extrahop.com/behaviortransparency.

Sustaining Partners