In my experience, security professionals are excellent at working problems. Give them a few suspicious alerts, a few failed logins, some sneaky looking network traffic and then get out of their way. Like bloodhounds on the trail of the fox, they aren’t afraid of sticking their nose on the scent and then following it to its very end. They will dig in deep to figure out what happened, when it happened and what to do about it. In my blog post “Alarm Fatigue”, I lamented the fact that security functions have a lot of noise coming their way. The noise has a high frequency with variable amplitude resulting in a cacophony that would confuse even the most disciplined and skilled bloodhound. Ok – so I am mixing analogies there with scent and sound but you get the picture.
Now, when it comes to working through a continuous input of data, there are a few algorithms that can be considered. Those of you with programming backgrounds will recognize the obvious.
First In, First Out (FIFO): As a piece of data is presented, it is analyzed, processed and then passed on as output. This is pretty straightforward. Think of Lucy and Ethel in the candy wrapping fiasco in I Love Lucy. As the piece of candy comes out of the machine, you wrap it and then move to the next. Lucy and Ethel find out firsthand what can happen when the flow starts picking up speed.
Last In, First Out (LIFO): This process gathers data until it has a nice big pile. Then the one on the top is picked up, reviewed and worked. The next one on the stack is handled and so forth. Many people do this with their email after a vacation…start at the latest email and then work their way back until they realize this is a futile effort and give up.
All In, None Out (AINO): Pretty self-explanatory. This is the “black hole” method.
None In, None Out (NINO): Again – pretty self-explanatory. This is the “deny everything” model.
Some In, Some Out (SISO): I call this the “selective issues management” model. Let’s pick what can be solved, work it out and ignore the rest.
So security teams have a few options to ‘work the problems’. None of these really work effectively. FIFO just handles everything serially. Big problems will eventually get worked but there will be a lot of effort expended to get there. LIFO can result in big problems sitting unnoticed, buried under a sea of meaningless issues until the problem ends up in a security blog and front page news. The other three are just silly but unfortunately they have been seen in operation. So security teams have a process challenge…I mean…opportunity.
The next opportunity is the ever growing need of more and more visibility into what is happening on the network, hosts and applications in the enterprise. Security tools usually help with filtering some of this stream of data – alerts, notifications, rules, “anomaly detection”, etc. However, today we are learning frequently that this filtering can miss extremely important pieces of data that indicate a security issue. We know the signatures and profiles that these alerts and notifications are built on aren’t keeping up with the threats we see and therefore, issues sometimes are never even identified and put into the queue. Additionally, today’s happily secured application using well-recognized, industry standard encryption could be tomorrow’s bleeding wound in the enterprise. (Thank you Heartbleed) Security is many times finding the needle in a stack of needles (a well-used phrase used today). You just never know which needle you need to look for. So security teams are faced with need to gather, store and organize EVERYTHING just in case.
What security needs today is an All In, Priority Out (AIPO) model. This means the data that may need to be analyzed is collected, organized, normalized and available when needed but issues are pushed into the queue based on solid prioritization models. The inputs into the security “work-the-problem” process must have dimensions added from a constant churn of data. Let’s take a very simple example (I apologize for the simplicity but it is just a blog – not a dissertation).
Problem: Beaconing traffic to a known C2 IP from an internal host. Alert looks something like “10.1.1.1 connecting to 22.214.171.124”. (See the First Watch report on VOHO).
- Zero Dimension: Internal host communicating with known bad actor.
- First dimension: 10.1.1.1 is John Smith’s laptop.
- Second dimension: John Smith is an IT employee who works in the Database group.
- Third Dimension: jsmith is John’s username in the internal domain and has administrative access to database clusters across the enterprise.
- Fourth Dimension: Access logs show jsmith has been extremely active in accessing databases at strange hours.
- Fifth Dimension: Account jsmith created a manual backup of DATABASE_XYZ which contains personal information gathered by the HR department as part of the health insurance enrollment process.
The dimensions go on and on put you get the idea. Each dimension ratchets up the priority but it requires taking in “all” (loosely defined) data pertinent to the problem. None of this data resides in one place; none of it is readily accessible in most organizations but all of it is necessary to take that problem and push it through the process. So we do have the need for an “All In” method. However, once you start taking in everything, any of the other methods will fall short very quickly. Hence, the only way to solve this is the “Priority Out” model. And priority requires lots of dimensions – both technical AND business oriented.
Priority queues are not a new idea. However, the need to chain together priority queues from multiple dimensions is what we need today. It can’t just be technical dimensions either – it has to be connected to people and business processes. We also need more and more data (the “All In” part of AIPO) to create the context necessary to create the “Priority Out” part of the equation.
What model does your security team take when it comes to working the problems? FIFO? LIFO? I am confident you won’t claim and of the other methods. How close are you to an AIPO Model?