Emulating the security analyst with software
This is the second installation of a two-part article discussing why static security detection methods can no longer protect enterprises from advanced hacking efforts. In this installation, the author will discuss why the security industry must begin to look at a more dynamic approach to security alerts.
Earlier, we discussed the beginnings of SIEM deployments and the failed success of static-based detection. Now, we need to start thinking like security analysts. Why? Because if a human best handles logical correlations, and there is a scarcity of skilled cyber security professionals, the use of dynamic, advanced software is how we best emulate the human decision making process.
How will we do this?
Ask questions of data dynamically – There is a lot messaging out there about asking your data questions—but what questions and in what order? Without thinking, humans ask many questions in different orders to get to a conclusion. Also, the next question may change based on the answer to the previous one. There are many routes or ways to get to an answer to a question. Humans take into consideration “conditions on the ground”. Machines with static detections do not.
Don’t boil the data ocean – So often we are told to collect everything. While any data can be security relevant during an investigation and having all data at your disposal allows you to follow an investigation wherever it leads, studies have shown that the human can only remember four things that are not related to each other at the same time. This is one of the reasons patterns are so important to memory and threes and fours are often grouped in threes and fours (example 666-777-5050).
Take an identity centric view of security data – By identity we are talking about one or more sets of credentials that represent the user or a machine account. I’m going to assert something daring; no system is vulnerable to attack unless a person or another system can access it. This is why taking an identity centric approach to security makes sense. Knowing if this is the right person (or machine entity) doing the right thing at the right time in a way that is somewhat consistent with their past behaviors and that of their peers is key to understanding what’s normal. Cyber attacker motivations aren’t in line with the business value creation of a business and its employees.
Learning, remembering, and prioritizing – Machines have longer memories than humans. The concept of machine learning has been around for over fifty years. The problem has been that in dynamic business environments, people do different things all the time. What should be learned and remembered? This is where custom algorithms are required to compare the user’s historical behaviors to each other and to their peer group (as defined by Active Directory) or to the entire company over time. But, what do we want to remember? Again, there are unusual behaviors performed every day but we only want to remember and prioritize those sessions that in the aggregate show a divergence between the objectives of an employee doing their job and an attacker looking to steal business value.
Time as a universal concept – Knowing what happened and when is part of the story the incident response team needs to tell as quickly as possible so that the CEO can communicate with shareholders, the board of directors and employees. Presenting anomalous behavior data in a timeline is a universal concept.
The end of static-based detections
Attack methods and methodologies have changed since the time when the SIEM was invented. You would think that hacking the human is a new phenomenon. You’d only be half right. Hacking the human has happened for thousands of years – in person. People are gullible, ignorant in the absence of information, do what they are told, want to be liked, and want to be helpful.
Hacking the human over the Internet (without meeting them in person) is still by comparison a recent phenomenon. The existence of Twitter, Pinterest, Linkedin and Facebook (and more applications every day) means we can gather enough information so that we don’t have to meet them in person and can hack the human from thousands of miles away. The human is now the most prominent attack vector.
Static detections still have a place in at the security table. Security hygiene remains important as a way to slow attackers down once they have the credentials they need to get past perimeter defenses. Security KPIs for your organization and that of your business partners are still an important measure of how seriously they take security. However, an attacker with valid user credentials can sidestep nearly all the widely available static detection systems. In the future, static detections will become context for identity-based detections and security teams will realize this in a long slow painful way.