Thursday, March 09, 2006
The Art of Digital War - [Part 2] Alarms in Digital Intrusion
The following table shows a set of words and its frequency. I know you must be wondering about, frequency related to what? That’s the key!
Word | Frequency | Word | Frequency | Word | Frequency | ||
The | 1101 | That | 389 | As | 228 | ||
And | 878 | Is | 334 | Be | 226 | ||
To | 726 | Not | 315 | Lord | 218 | ||
Of | 657 | This | 296 | He | 216 | ||
I | 561 | His | 292 | What | 203 | ||
You | 544 | But | 265 | So | 197 | ||
My | 508 | With | 257 | Him | 189 | ||
A | 498 | For | 247 | Have | 179 | ||
In | 414 | Your | 242 | …. | …… | ||
It | 414 | Me | 235 |
The above table shows the word count from Shakespeare’s Hamlet!
If we put these words in the ‘RIGHT CONTEXT’ you will get a classic in English literature.
‘To be or not to be: that’s the question’ is a famous quote from Shakespeare's Hamlet by Prince Hamlet (ofDenmark
Now let us look at the current set of Intrusion Detection Systems. It generates Alarms with some severity (and lots of them are false positives) and the current breed of Enterprise Security Management software’s do some basic algorithms to do the scoring which ends up similar to the data in the following table.
If we put these words in the ‘RIGHT CONTEXT’ you will get a classic in English literature.
‘To be or not to be: that’s the question’ is a famous quote from Shakespeare's Hamlet by Prince Hamlet (of
Now let us look at the current set of Intrusion Detection Systems. It generates Alarms with some severity (and lots of them are false positives) and the current breed of Enterprise Security Management software’s do some basic algorithms to do the scoring which ends up similar to the data in the following table.
Alarm | Risk Score / Priority / Event Count |
Alarm 100 | 1101 |
Alarm 12931 | 878 |
Alarm 14987 | 726 |
Alarm 231 | 657 |
If you compare the two set of table it doesn’t tell you exactly the story behind those words (or Alarms). Security Analysts with their experience and intuition runs through these Alarms and creates a mental map of a potentially story. However, what matters or what the industry or the Security Analysts wants, is to put these words (Alarms/Events) in the ‘RIGHT CONTEXT’!
Therefore, why don’t we look at this data set from a different point of view? i.e., instead of Security Events, Why don’t we try to see a ‘Conversation’?
For Example.
For Example.
1. A financial user using his Financial Application for his routine daily job.
2. Customers accesing the Web Application
3. Inter department communications.
All these have a definitive start and end segments. However currently we look at all these transactions as events and then we do correlate based on these events.
Now why should we see events? Why can’t we see a conversation?
What is a Conversation?
A Conversation happens when a user logs into a system do certain activities and then logs off.A Conversation could be for few seconds to hours, depends upon the nature of the conversation. A Conversation could be polite or rude! So the idea is clear. A Conversation shows a set of events in itslogical order (or grouping them in its logical order).
All these have a definitive start and end segments. However currently we look at all these transactions as events and then we do correlate based on these events.
Now why should we see events? Why can’t we see a conversation?
What is a Conversation?
A Conversation happens when a user logs into a system do certain activities and then logs off.A Conversation could be for few seconds to hours, depends upon the nature of the conversation. A Conversation could be polite or rude! So the idea is clear. A Conversation shows a set of events in itslogical order (or grouping them in its logical order).
If we look at the usual network traffic, most of raw events (Alarms generated by the security devices) can be grouped under a certain types of conversations. For Example;
1. Business Conversation
Legitimate web users or business partners accessing the Application server (Web Services).
2. Inter - Department Conversations
Understanding the applications which communicate across the department (in normal office hours)
Employees browsing the web pages, checking personal emails etc
4. Un-known Conversation
This type of conversations is the one which doesn’t fit into current business rules or policies.
5. Rude Conversation
An Attacker scanning a server and compromising it
6. Impolite Employee Conversation
Employees breaking the security policies
Self propagating worm attack
Data doesn’t tell a story unless it is interpreted in the right way.
1. Business Conversation
Legitimate web users or business partners accessing the Application server (Web Services).
2. Inter - Department Conversations
Understanding the applications which communicate across the department (in normal office hours)
Employees browsing the web pages, checking personal emails etc
4. Un-known Conversation
This type of conversations is the one which doesn’t fit into current business rules or policies.
5. Rude Conversation
An Attacker scanning a server and compromising it
6. Impolite Employee Conversation
Employees breaking the security policies
Self propagating worm attack
Data doesn’t tell a story unless it is interpreted in the right way.
