While watching TV today two completely different shows on TV made me think of information security issues and our shortcomings when it comes to data. The first was related to national security where a guest on Campbell Brown on CNN was discussing the successes and failures of our national intelligence agencies. The guest stated we were gathering 1.something billion communications (think email and phone calls) per month and that we don’t have the ability to analyze all that information. After getting my fill of the news I switched over to a cable channel playing Fletch, the 1985 comedy starring Chevy Chase as a reporter following a story. In one scene Fletch is performing some research on his subject. He and his assistant are shown using a microfiche machine looking through old news articles. For those too young to understand please see (http://en.wikipedia.org/wiki/Microfiche). He then goes to the hospital to find medical records on his subject and on the desk in the records room, replete with a bumper sticker that says “I heart my computer”, is a lone computer in this room full of shelves of files. He accesses the green screen and pulls the needed information and the story moves on. What made me think of security is that prior to this past decade we suffered, as Fletch does, with a lack of readily searchable and available security information *think logs. Today we suffer just as the intelligence agencies do in that we have more information than we know what to do with. *think poor guy who has to read the logs. We have gone from “I can’t find it because I don’t have the information” to, well, “I can’t find it because there is too much information”.
As a example, SIEM systems today work to some extent. While they all claim to work perfectly with all types of sources the claims often stray somewhere from worthless to somewhat helpful in reality. Again, just like our issues of today and too much information, we often miss attacks or warning signs due to a lack of correlation of the right kinds of information. These systems take in log files and spit back out alerts fired off via email. This made me think of an issue that has long bothered me…why can’t these systems take data and make it actionable through visual representations versus an email? Why can’t we take all of the traffic logs of our egress devices (i.e firewalls, web proxies, etc.) and represent the data in a visual pattern? Maybe as spheres of different sizes placed on a map that represent sources and destinations, or port and protocol combinations. While we’re at it, why can’t we represent ALL security data visually? To highlight the difference between visual and non-visual representation think of a doctor reading an x-ray film. While it may be beneficial for you to hear it described as “your ulna, which is next to the radius, and connects your hand to the upper arm via the humerus, has a hairline fracture approximately 3 inches above the wrist bone” wouldn’t it be better if he showed you the x-ray and pointed to the site and said “right there, your bone is broken”?
One other unexplored area, which is understandable given that we rarely know how to analyze the data we do have, is in access recertification. In case you’re not familiar, recertification is the process of certifying that an account, or individual, needs a certain level of access within an application or system. For example, a clerk may need the ability to cut checks up to a certain dollar amount while anything over that amount requires the next level of “supervisor” access. While we have systems that facilitate this process by providing detail on current access levels and a nice web interface none of these systems use actual log data to help a “certifier” make a decision. Wouldn’t it be interesting if a manager could certify a person’s level of access, but also have the knowledge of what levels of access or systems that individual has used in say the past month or year? It may be easier to understand what levels of access individuals need if we could simply point to the analysis of the logs and say “that user has not logged into this system, although they have access, in the past year”? Then, let’s make that a visual representation…
Just a thought.
The well known practice and art of providing controls at multiple layers of the infrastructure is nothing new to those involved in the protection of information. As a general rule in defense-in-depth one must assume that at least one layer of the security architecture will fail. The follow-up question is, then what? How well will the systems and data be protected if we lose one layer of control? The current threat environment must also be taken into account when answering that question. Organizations have risks because of the way in which they operate IT, the industry they are in, and the business model they follow. A small manufacturing firm has a different threat and risk profile than a large multi-national bank. But I ask the question, given the advances in technology, is your CIO keeping up? Does he or she understand that security controls are layered with some overlap for a specific purpose? Do they understand the specific risks in their own organization and why the controls were chosen in the first place?
Take for example the use of anti virus. Almost all organizations use AV in some way to protect their systems from the latest malware, virus, and worm threats. But given that new malware threats seems to be growing at an alarming rate that can be directly attributed to the maturing cybercrime organizations run out of Russia, HK, and Eastern Europe and their ever increasing return on investment (run more like businesses than chop shops it seems). Symantec alone counted a 200+% increase in newly detected malware threats from 2007 to 2008. Can your AV keep up? Or better yet, how effective has it been over the last 6 months?
If you said you had an additional layer of security you need to apply to protect your systems, would your CIO understand the difference between policy-based controls that rely on the monitoring of the interaction of system process and applications with the operating system itself and that of AV? If they don’t they may likely fall into the category of answering all questions with, “but we use AV”. I’d question how many of those answering this way understand how effective (or ineffective) their current AV is. If they don’t understand the answer to that question they will likely make the fatal mistake of relying on an out-dated technology (AV) that is ineffective at stopping the new and growing malware threat, rejecting new technology that they don’t understand.
As a side note, infections today seem to come from users browsing the web. And this doesn’t have to be browsing to “suspect” or non-business sites as many mainstream web sites have been compromised over the past few years. The security breach that is self-inflicted is always the hardest to live with as a security professional…all the while knowing you could have done something to stop it if only your CIO could keep up with current security threats and technology.