Time was when one of the key things that a security technology had to avoid, was initiating an avalanche of event notifications. Tuning technologies to only alert when something Very Certain™ and Very Bad™ had happened was the order of the day. Your firewall had to be absolutely certain that those inbound packets were not part of an established network flow or your Intrusion Prevention System needed to be able to state categorically that those packets contained an exploit attempt, before they raised an alert.
In the twentieth century and even into the beginning of the twenty-first we were in the habit of consulting our defences in isolation; the firewall tells me everything is ok, the IPS tells me everything is ok, the anti-malware tells me everything is clean; so everything is ok, right? Wrong. This myopic approach to security is one of the factors currently contributing to the success of targeted attacks around the world.
In reality, the old adage of not being able to see the wood for the trees has never been truer. We focus too much on the “known-bad”, disposing of the “normal” in the interest of a more streamlined and focussed analysis process, but we ignore the context at our peril.
Picture this; a security camera in the corridor outside your server room spies a person, let’s call him Dave. Using both gait recognition and facial geometry Dave’s identity is confirmed, the system even notes that he is wearing a cleaner’s uniform, which is good because Dave is a cleaner. Dave approaches the door to the server room and presents his NFC card to the door lock, which opens because the security camera and door security talk to one another. A second camera, inside the server room, confirms that it is indeed Dave that has walked through the door and everything is fine.
Under the myopic model, all these events are deprecated and filed away in a soon-to-be-purged log of “Nothing To See Here”, however the context offered by these sort of run of the mill events is invaluable as we are about to see…
Dave, in the server room, instead of cleaning the floor deviates from known good behaviour. He sits down at a server and begins tapping away on the keyboard. This is clearly Not A Good Thing and should be ringing alarm bells somewhere. But if we strip out all the context that our clever brains remembered and correlated, what are we left with? A person in the server room using a computer. Stand down the SWAT team, this event is surely also destined for the “Nothing To See Here” folder.
In the age of targeted attacks, the rules for security event monitoring have also changed. Unless we begin to take advantage of the opportunities afforded by big data management and event correlation; unless we begin to augment the information made available to our Security Information and Event Management systems then highly targeted attacks will continue to pass unnoticed. Attackers make use of legitimate user credentials and trusted relationships in order to maintain a presence at the heart of your most sensitive networks over a prolonged period of time, passing with impunity through your discrete security technologies.
Unless you learn back to take two steps back and appreciate the view, you’ll only ever see the trees. Context is king.