Tools and techniques abound for helping organizations detect and respond to cyberthreats. But what if instead the answer was to simply scrap the operating system all together?
Or, rather, to replace the operating system with a database.
That concept is at the core of research that came out MIT about a year ago, which you might say is now ready to go prime time, with some help from businesses.
“Sometimes it's thinking outside the box that really makes the greatest innovation,” said Michael Coden, co-founder and associate director of Cybersecurity at MIT Sloan, or CAMS, and senior adviser at Boston Consulting Group. He led the research with Mike Stonebraker, an MIT professor and a pioneer of database research and technology for more than 40 years.
The idea, which came from a team of 20 researchers, faculty and students at MIT and Stanford uses the database not as an application on an operating system, but instead as the operating system itself. “It's built on bare metal, as we call it, on the silicon,” Coden said during a December keynote discussion at the SC Media Threat Intelligence eSummit. “And the data is stored in the database. Think of the applications as stored procedures in the database."
So what does this have to do with security? Having all applications and data in a relational database means that all log files are kept in the database, and users can interrogate the log files using SQL queries. That’s different than today’s standard, where data and the database run on top of an operating system, and then logs exist for the applications, for the operating system, and for the database; those logs are exported to a SIEM or some other analytics engine.
With a standard operating system, “the analytics engine spends time processing, and eventually may find an anomaly and come back to say, ‘You better investigate this — you may have been compromised,’” Coden said. In a scenario where a relational database replaces the operating system, analytics simply involves “running continuous SQL queries, so detection time can be reduced from hours to seconds or even fractions of a second.”
Beyond speed to detection, a database provides IT teams standard procedures for rolling back a database to a prior state if an incident does occur. So rather than going to the vault, getting tapes, and trying to build systems or having a hot standby, “we're just talking about rolling back the database to pre compromise,” which could take less than five minutes. The approach also supports law enforcement — allowing a system to be handed over while business continuity continues off of a database replica.
The concept was published about a year ago, with the team spending the last year building a prototype of the system. Now, researchers are looking for companies that would like to support a proof of concept.
“So if you're interested in being part of what could potentially be, the future of cyber resilience, give us an application that we can adapt," Coden said. "Our team will adapt your application to this new device or ‘database operating system,’ and then have you test to tell us if it really works.”
Coden concedes that at this stage, the effort is totally experimental. But he does point to a database developed a few years ago called Volt DB, which proved to be the fastest way of processing transactions. It’s now used by a large number of telecommunications companies for processing all their central office operations. “So databases can be incredibly fast, and our belief is that if we were to write this device directly on bare metal, that it could be equally fast or faster in the hardware that's available today,” he said. And for the majority of applications out there, he adds, “data has become — as people say — the 'new oil.'”
Coden's hope is that the concept proves itself to start as a feasible option for cloud systems, central servers, and big server farms. Ultimately it could offer a third option to Microsoft and Linux — the latter of which offered its own paradigm shift from integrated programs to a series of individual files.
The team so far has signed on two large company participants — one in consumer goods and healthcare that is currently conducting a proof of concept, and a financial institution that has indicated they will proceed. More leads are considering the opportunity, but Coden hopes to recruit more. Anyone interested should reach out to Coden directly at [email protected].
“I can't guarantee results,” he noted. "But it'll be really interesting if we can prove that the concept works. Maybe we have some new way of defending or protecting ourselves.”