Solving puzzles and mysteries
I was directed to a great document on some theory of detection and prevention - or as the author likes to compare it with: solving mysteries and puzzles.
Puzzles can be solved; they have answers. But a mystery offers no such comfort. It poses a question that has no definitive answer because the answer is contingent; it depends on a future interaction of many factors, known and unknown
This is interesting:
Solving puzzles is useful for detection. But framing mysteries is necessary for prevention.
A great example of the issues of prevention of unknown vulnerabilities:
To analysts in the Pentagon, for instance, terrorists present the ultimate asymmetric threat. But the nature of the threat is a mystery, not a puzzle. Terrorists shape themselves to our vulnerabilities, to the seams in our defenses; the threat they pose depends on us. The 9/11 hijackers, for instance, did not come to their plan of attack because they were aviation buffs. They came to it because they had identified gaps in our aviation defenses.
Why we need to look for indications of suspicious activity, at different places, and correlate these:
By contrast, mysteries often grow out of too much information. Until the 9/11 hijackers actually boarded their airplanes, their plan was a mystery, the clues to which were buried in too much “noise�—too many threat scenarios. So warnings from FBI agents in Minneapolis and Phoenix went unexplored. The hijackers were able to hide in plain sight. After the attacks, they became a puzzle: it was easy to pick up their trail.
Finally on how medicine, which is very similar to reactive security efforts, correlates indications before they give treatment:
Doctors base an initial assessment of a patient’s health on propensity, as revealed by his or her medical history, and on diagnosis, determined through an examination. If the doctor’s initial assessment is of a high probability of disease, he or she orders more tests, which in turn refine that probability. For chronic concerns, such as high blood pressure leading to heart disease, the initial assessment leads to a decision about whether and how to treat, followed by subsequent tests to see if the original probability of problems can be revised downward.
There is no coincidance that a certain IPS-vendor claims their IPS to be a “DigitalVaccine”. Only, they apply their cure only by looking at a single packet. That perhaps why they sometimes get it wrong - all IPS products in some sense do. And in some cases, as with medicine and cure of a human with a decease, gettings things wrong isn’t acceptable - it could render in a even worse condition, death or block of absolutely bussiness critical traffic. But there are products that functions more like doctors.
25. May 2007 at 09:16
Göran, how easy is actually the “doctor-like” product from http://www.q1labs.com to use? From their product page it seams just to plug it in and it almost automatically works but since I am skeptical I think it require a lot of fine tuning as any other product. Maybe it needs less…?
25. May 2007 at 12:21
QRadar is a great product, which I have tested rather extensively in lab environement. In contrast with other similar products, our results indicated that its built in correlation engine is very accurate.
However, all this boils down to the quality of the log sources of course. But having a fine tuned IDS/IPS, a firewall log, service logs etc allows the device to very accurately detect and describe attack patterns. I’ll say most of the fine tuning would still be necessary on the IDS/IPS. And as with any product that can base-line, its a matter of it getting to know the environent and baseline.
It has also a built in NBAD feature, where it can do traffic anomaly detection using for instance netflow data. That is a feature most SIEM-products doesn’t have, yet.
I plan to blog about QRadar sometime in the future.