Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

2/19/2013
11:19 AM
Wendy Nather
Wendy Nather
Commentary
50%
50%

Rashōmonitoring

When you don’t know who to believe

There’s something to be said for pure, unprocessed data: You know it doesn’t come with any assumptions.

Here’s a simple example: Logs show use of an application from an executive’s phone in Maryland. They also show some failed login attempts from an unknown device in Tokyo, within two hours of the other events. Now, some analytics would assume that the second set of logs was an attack from Asia, and the APT ALARM would go off, with "hacking-back" teams, energy drinks, and virtual chest bumps all around.

But suppose the executive really was in Tokyo and had left her phone at home, where her 6-year-old picked it up and started playing with it. And because she’d left the phone at home, she was borrowing someone else’s iPad -- and, it being late at night after a liquid dinner, the login process just wasn’t working as well as it usually does.

Security products are featuring more analytics these days to help automate and speed the interpretation and response process -- and that’s good because humans are both (relatively speaking) slow and expensive. But any rules, algorithms, or interpretations of the data can also reflect the perspective and assumptions of whoever created them.

These perspectives can clash, as shown in Akira Kurosawa’s classic film "Rashōmon," in which the main characters all relate their versions of the same story. In the same way, analysts can put their own interpretations on security events, depending on their own states of knowledge and even the order in which they see the data. Here are some assumptions that you may want to take into account when using automated or manual analysis:

  • Anything that appears to originate from an IP address in Eastern Europe or China is Bad.
  • Traffic from a proxy means that someone is up to No Good.
  • Nobody ever shares an account.
  • Anything that overloads a system is a denial-of-service attack. Or it’s never a denial-of-service attack; it’s just a runaway process or memory leak.
  • All systems are using dependable time sources that have not been tampered with. (For some scary scenarios that contradict this assumption, see Joe Klein’s "Time Lord" presentation at ShmooCon last weekend.)
  • Deviations from a baseline are always Bad. (If that were the case, then online sales events would be something to avoid.)
  • A policy violation is always unauthorized. (See my post on the need for exceptions.)
  • An attack pattern or specific piece of malware that has been seen before is coming from the same threat actor.
  • The more sources of data you have that are saying the same thing, the more confidence you should have that it’s accurate.
  • In order to avoid falling victim to unconscious (or undocumented) assumptions, make sure you know the models behind your analytics. Are you using a product from a company that started in the defense sector? Is the statistical analysis intended to detect fraud in financial transactions, not overdue library books? Are you using statistical baselines that are out of date and don’t reflect your current application traffic? How are historical events weighted in analyzing new ones?

    I’m not saying that you should distrust your SIEM. But I am saying that you shouldn’t stop questioning it, or yourself. Once in a while, take a fresh look at your unfiltered data sources, shake up your reporting, and have a different person interpret the alerts in your SOC. Make sure that you haven’t become complacent in your everyday monitoring because what you see tends to become what you expect to see.

    (I would like to thank Sandy "Mouse" Clark at the University of Pennsylvania for her discussions on this topic; she’ll be coming out soon with new research around how assumptions affect security.)

    Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy.

    Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
    Comments
    Newest First  |  Oldest First  |  Threaded View
    News
    Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
    Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
    Edge-DRsplash-10-edge-articles
    Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
    Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
    News
    Cybercrime Groups More Prolific, Focus on Healthcare in 2020
    Robert Lemos, Contributing Writer,  2/22/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    Building the SOC of the Future
    Building the SOC of the Future
    Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-4931
    PUBLISHED: 2021-02-24
    IBM MQ 9.1 LTS, 9.2 LTS, and 9.1 CD AMQP Channels could allow an authenticated user to cause a denial of service due to an issue processing messages. IBM X-Force ID: 191747.
    CVE-2020-11987
    PUBLISHED: 2021-02-24
    Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
    CVE-2020-11988
    PUBLISHED: 2021-02-24
    Apache XmlGraphics Commons 2.4 is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
    CVE-2021-21974
    PUBLISHED: 2021-02-24
    OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in...
    CVE-2021-22667
    PUBLISHED: 2021-02-24
    BB-ESWGP506-2SFP-T versions 1.01.09 and prior is vulnerable due to the use of hard-coded credentials, which may allow an attacker to gain unauthorized access and permit the execution of arbitrary code on the BB-ESWGP506-2SFP-T (versions 1.01.01 and prior).