The Dangers of Non-Contextual Pattern Matching

Wednesday, February 15, 2012

Rafal Los


Modern enterprises are bombarded with more information today than ever before.  Information pours in like water through a fire-hose 24 hours a day, 365 days a year and only seems to increase in volume as more devices are added daily and the corporate network expands. 

What many organization have adopted to manage the deluge of information is SEIM (Security Event and Incident Management) or SIM (Security Information Management) tools which in many cases amount to massive data collectors for log security event and log data.

What enterprises are typically sold on is that these SEIM or SIM devices will not only accumulate all these logs from across the organization but also sort them, and correlate them intelligently to help the security analysts sift through the millions of generated events to find the actual critical issues that require attention. 

What they usually get even today is little more than a pattern-matching engine which is extremely error prone and requires human analysis. Then something like this happens...

"Man says workplace quip made him a terror suspect"

"MONTREAL — A casual text message to work colleagues encouraging them to "blow away" the competition at a trade show allegedly plunged a Muslim man into a terrorism probe. Telecommunications sales manager Saad Allami says the innocent message, aimed at pumping up his staff, has had devastating consequences on his life. The Quebec man says he was arrested by provincial police while picking up his seven-year-old son at school. A team of police officers stormed into his home, telling his wife she was married to a terrorist. And his work colleagues were detained for hours at the U.S. border because of their connection to him."

The lesson for us all whether we're in Information Security or homeland security is simple, simple pattern matching is dangerous, and produces more issues than it solves.  This does not bode well for those of us in information security departments where we're drowning in more information about our environment than we could possibly analyze in a single lifetime.  Technology isn't just an answer it's the answer here, but that's only part of the solution.

Remember a while ago how I seemed to rant on and on about how while everyone is trying to sell you solutions that come in the form of a SKU and are shipped to you in a box or with a license key - what you really need is solid technology with serious human resources to make sure that it's effectively launched and then fiercely maintained.

Solid Technology

Technology for the processing of massive amounts of information can come in two flavors.  It can either be built up on a platform in-house (I highly recommend something like a private cloud environment) or delivered as a service from a public cloud offering (SIRMaaS - Security Information and Risk Management as a Service). 

The reason I'm recommending both platforms be built upon the cloud is that you need an elastic compute platform that can scale up and down (probably never down) as your computational and storage needs grow.  The odds of a single piece of iron handling the massive computing power needed to crunch hundreds of millions of log events daily from today's fast-moving enterprise is highly improbable.

You'll want a strong platform, but I just mentioned that.  Next you actually want a flexible, extensible, and powerful analysis platform which can take in all kinds of formats from all kinds of devices, normalize them, perform the necessary analysis and produce relevant and context-aware output.  That last part is the key. 

Many platforms have "grown up" to the point that they can handle a large volume of input, even sport a large and diverse input capability - but few have the ability to deliver relevant and context-aware output. 

That context-aware output generally means the tool you're using knows your computing and operating environment, your applications and can tell the difference between an important operational issue affecting system availability, and a critical operational issue affecting system integrity.  Those two are miles apart in the world of risk management.

When all is said and done, you want a world-class technology platform that won't choke on data, can bring together analysis plus context, and produce it into a format that you can readily consume for incident response in the right quantity.

Effectively Launched

I can't even begin to tell you in the years that I've been in IT how many times I've thought I could just RTFM (you'll just have to Google that one) and be able to stand up a complex technology platform.  Oddly enough each time I was wrong.  It's not about being able to read a manual... it's about knowing the platform inside and out, and knowing what works well, what won't work, and where compromises need to be made. 

Part of getting a solid program off the ground requires a strong set of experts who really understand how to architect appropriately from the administration concepts, to system design, to layout to database storage requirements and so on.

At the risk of sounding like a sales guy - pay for the professional services to have it installed and launched right.  You don't want to find out at 6 months that the multi-million dollar system you installed to help you operationalize security response faster chokes when you add one more device.  Whoops... been there, and done that.  It's ugly.

Effectively launching a security technology generally requires people who have been doing it for a while, are certified on it - and generally live and breathe the product day in and day out.  Trust me, this is a wise investment.

Fiercely Maintained

The number one cause information security organizational inefficiency is the mass glut of technologies amassed over the years and left to run amuck.  This isn't a scientific study that I can point you to, but rather years of hard experience and knowing people who have the scars to prove it.  If your IT systems (not just your security tools) could talk, they would tell you to maintain them fiercely. 

Just like you change your oil at 4,999 miles to avoid going over 5,000 without an oil change - you should take constant care and tuning of a security system this seriously.  Why?  Because a person's life and livelihood may hang in the balance... or the personal health record of 2,000,000 Canadians may be at risk, or something else.

Maintaining your security tech is paramount, period. I could keep hitting you with cliche after cliche but it doesn't matter if you don't grasp the importance of your technology being carefully and fiercely maintained.  This means that rules need to be revisited regularly whatever that means to you... maybe it's weekly, monthly, or quarterly but regularly. 

Make sure you're constantly tuning and optimizing scalability for performance - inability to perform workload in time can quickly overwhelm a system like a SIRM and set you back minutes at a time until you're a day or more behind and then your real-time multi-million-dollar system is of zero value.

Ensure you're adding that context that makes analytics tools valuable.  A port scan on its own is Internet noise.  A single attempt to exploit a non-existent vulnerability across multiple systems is typically no cause for alarm either. 

Even a system inconsistency such as an abnormal page transition velocity on your flagship web application can be overlooked - until you put all those together and realize you're being SQL Injected and someone is stealing your multi-terabyte database out from under you right now.  It's not until multiple systems and events are added together that 'odd' becomes 'suspicious' joins with 'alarming' to become 'critical'.  This is how effective organizations respond in real-time to threats... context + massive analysis capabilities.

In the final analysis, context is critical, and an analysis system built on solid technology, implemented effectively and maintained fiercely is the only way you'll even have the slightest chance to defend your organization against the daily threats. 

If you're trying to go at it alone, I wish you lots of luck... and endless cups of coffee.  If you're hoping technology will do it all for you... you don't need luck you need a helmet for the inevitable sudden stop.

Good luck out there.  If you want to talk about how this type of solution is possible ... find me.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Security Strategies Cloud Computing Log Management SIEM Attacks Managed Services Information Security Network Security Monitoring Database Activity Monitoring Rafal Los IT Security SIRMaaS
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.