There are plenty of examples of behaviors in everyday life that can be either legal or illegal. An easy example is marijuana. To determine whether or not somebody is illegally using the substance in the United States, you’d have to know (at least) which state they’re in, potentially their medical status, potentially their age, and the policies of their current specific location. Context matters tremendously, and just knowing that a person is using the drug is definitely not enough information.Others are likely not going to report the incident if they don’t have most or all of the information, as their information is of low confidence. Imagine if every time somebody observed a person using marijuana, they immediately called the police?
Given this physical world example, why is it acceptable that the digital world—specifically detecting security incidents—is full of low-confidence reporting? In just about every way we have a more complete picture of the environment, but yet we still spew half-baked (no pun intended) low-confidence alerts as fast as we can. It should be obvious that in order to deal with this scenario, a huge amount of effort should go into providing higher-fidelity alerts contextualized across multiple facets of a system.
Relating back to the original concept, alerts that only look at an event (whether network, endpoint, or interaction) in isolation are much less likely to be high-fidelity. For example, if Joe gets access to a new source of highly-restricted data at work (for a new project he’s on), systems that look at that event in isolation will notice it as an anomaly and immediately alert. However, simply accessing something new is not interesting in isolation. If, instead, Joe transfers that data to his work phone via Bluetooth, takes it home, and uses Gmail to send it to a competitor, that isinteresting. It’s the connection of these separate concepts that—in isolation—should not be that interesting where things start to become clear.
Therefore, we need ways to identify these behaviors as related, even though they’ll potentially be across different platforms, data sources, and devices. In addition, such information requires us to have either temporal or—much better—content-based knowledge about the content of such isolated behaviors. If we identify that Joe accessed Gmail on his work phone on the same day that he had access to new highly-restricted data on his work computer, it’s likely that we’ll have identified Joe simply sending an email in his personal time. However, if we can identify that it is the same data (or even—since it’s likely to be encrypted—roughly the same size of content being transferred) in this chain of events, then our alert is much more promising. Better yet, if we can identify metadata about the file being sent from the phone—through antivirus, perhaps—our fidelity increases even more.
So where does this leave us? Context is everything. Connecting the dots between indicators of interesting activity across different aspects of an environment—from external to intra-network to device—is the way to provide unparalleled alert fidelity. Interoperability between products is extremely important to getting to the next level of security capability. Will the first company that nails cross-technology integration, contextualization, and interrogation win the day?
About the author: Having used Wireshark ever since it was Ethereal, David has been analyzing network traffic for well over a decade. He has spent the majority of his professional career understanding how networks and applications work, currently as Principal Threat Researcher for Awake Security. David holds computer security degrees from the Rochester Institute of Technology (BS) and Carnegie Mellon University (MS).
Copyright 2010 Respective Author at Infosec Island