Behind the PUZZLE recommendation system, is it enough?

  • February 12, 2023
  • 4 min read

The PUZZLE project provides a suite of cybersecurity for those who aren’t able to afford a reliable one. But one would fairly question, how reliable is it though? In a world where you get what you pay for, and while security is expensive with big corporations paying dollars in the millions for it, is a budget solution like this enough? Can it truly cover the needs of SMEs/MEs on a scale respective to the expensive solutions more fortunate parties can afford? And regardless of capabilities, is it usable by someone who isn’t familiar with the field? It is easy to claim that it is, but it’s much preferable to deliver evidence of it, so read along.

First, we must prove the ability of the solution to provide security. The two most important factors of defense are knowledge of the attack and having the tools to defend against that. This includes several attributes, including who the attacker is, where, when, and in what circumstances that attack has happened in the past, how was it resolved, and how and with what tools are the experts defending from it. With all that information it would be applicable to devise a way to map defensive procedures to such incidents.

For the knowledge part, we are fortunate that the MITRE Corporation provides two excessively comprehensive knowledge bases to the world at no cost, MITRE ATT&CK®, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations including specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community, and MITRE D3FEND®, a knowledge base, and a knowledge graph of cybersecurity countermeasure techniques. In the simplest sense, it is a catalog of defensive cybersecurity techniques and their relationships to offensive/adversary techniques.

We have the knowledge of the attacks, but we need the right tools to address them. PUZZLE cuts no corners in utilizing the best tools available in the most efficient way, these include state-of-the-art open-source orchestration, networking, and even interfacing tools.

To mention a few of the technologies utilized by this project, Apache Kafka is used for data aggregation, Kubernetes is used for orchestration and deployment, Cilium is used for networking, Beats are used for data shipping, Drools for rule management, eBPF for kernel extensions and LLVM compiler for packet processing.

All of these technologies are high-end open-source or free-to-use tools, yet they are by no means lacking in any form as they are the same technologies that experts trust and use in big-scale corporations. The biggest difference in PUZZLE is that normally you would require a team of experts to utilize these technologies, but the goal of PUZZLE is to provide this service for free, only requiring the users to pay whatever security policy they use directly rather than the tools to decide them.

The solutions work, but can everyone use them? Even the best tool is impractical in the wrong hands after all. Since the goal of PUZZLE aims towards providing this service even to the less tech-savvy audience, the project features a very user-friendly interface and functionality.

The user has the possibility to send a request to the Policy Recommender, through the Dashboard for suggested policy templates to activate. Thus, after the request is received, the Recommender sends a request to retrieve all the available policy templates from the Marketplace and initiates the recommendation function. The sequence diagram is presented below in the Figure. Based on metadata included in those templates and other information from the system the recommender will make a few policy recommendations and return them to the user through the Dashboard, where the user can select and apply the preferred policy based on the information that will be provided along.

To conclude with, we have shown that our coverage is reliable by displaying that the information we rely on and build upon is not speculations and opinions of a few of our experts, but in fact the collective knowledge of many of the most renowned cybersecurity experts in the world. We also show that we use the most optimal tools in the market to handle this information and act upon it. Finally, we explained that all this can be fully utilized by a user with minimal technical knowledge. With that in mind, PUZZLE is confident that the solution it provides is indeed enough.

Figure 1. The sequence diagram

Author: ICCS – Institute of Communication and Computer Systems