Thursday, September 21, 2006
The Art of Digital War - [Part 3] Abstract Data Types in the Security Domain
Part 1 / Part 2 / Part 3
Abstract Data Types in the Security Domain
The objective of this section is to identify the key abstract data types required to handle any type of security related data to identify the Digital Intrusions / Extrusions and take necessary remediation process to mitigate those attacks.
Handling of millions of network events (generated by Routers, Firewalls, IDS/IPS etc) per day is one of the key elements of all the Security Management solutions. Other set of information collected for processing and mining the attack pattern involves OS logs, vulnerability information of an asset, network topology, Asset Database, Identity Management systems and Application Logs. So you end up having lot of different data types. One of the biggest challenges is to normalize this information across the vendors. However, before the normalization process the key element is to identify and classify the data types.
The next diagram shows the Attributes of a User as an Entity. User, applications and CVE ID for illustration purposes only.
In the same line you can create an Intruder as an Entity with a certain characteristics based on the attack patterns, impact of the attacks etc, An Application as an Entity with vulnerability profiles and network characteristics (like how does it communicates in the network and with what protocols and what kind of services it provides, impact of these protocols/services in the event of a failure etc).
So, the idea of an Entity is clear it’s identifying the ‘thing(s)’ in your enterprise or outside with a certain set of characteristics. Now let us look at what’s an Atomic Event and how does it ties two entities together.
Atomic Event
An Atomic Event is created when any of the two entities talks to each other. Atomic Events can’t be broken down further. For Example a Firewall Network Status Event (Connection open or Connection closed Event).
Conversation
Grouping of Atomic Events in a specific environment (Zones) and context creates a conversation. Read the Part 2 of this series to know more about various types of Conversations.
References
[1] The Merriam Webster definition for an Entity is
independent, separate, or self-contained existence
the existence of a thing as contrasted with its attributes
something that has separate and distinct existence and objective or conceptual reality
Work in Progress ......
Abstract Data Types in the Security Domain
The objective of this section is to identify the key abstract data types required to handle any type of security related data to identify the Digital Intrusions / Extrusions and take necessary remediation process to mitigate those attacks.
Handling of millions of network events (generated by Routers, Firewalls, IDS/IPS etc) per day is one of the key elements of all the Security Management solutions. Other set of information collected for processing and mining the attack pattern involves OS logs, vulnerability information of an asset, network topology, Asset Database, Identity Management systems and Application Logs. So you end up having lot of different data types. One of the biggest challenges is to normalize this information across the vendors. However, before the normalization process the key element is to identify and classify the data types.
So, let me start with two fundamental data types and let us see how these data fits into all the data sources available from different vendors and creates Digital ‘Conversations’. Following are the two abstract data types.
1. Entities
2. Atomic Events
Entity[1]
An Entity is a ‘thing’ in the system with a certain properties. For example An ‘Asset’ (a machine) with a set of services (applications) running (listening on a port), or a ‘User’ with one or more roles and privileges or an ‘Application’ which is farmed out on a server farm.
The first diagram shows the Attributes of an Asset (Financial Server) as an Entity. OS, Services and the CVE information is for illustration purposes only.
1. Entities
2. Atomic Events
Entity[1]
An Entity is a ‘thing’ in the system with a certain properties. For example An ‘Asset’ (a machine) with a set of services (applications) running (listening on a port), or a ‘User’ with one or more roles and privileges or an ‘Application’ which is farmed out on a server farm.
The first diagram shows the Attributes of an Asset (Financial Server) as an Entity. OS, Services and the CVE information is for illustration purposes only.
The next diagram shows the Attributes of a User as an Entity. User, applications and CVE ID for illustration purposes only.
In the same line you can create an Intruder as an Entity with a certain characteristics based on the attack patterns, impact of the attacks etc, An Application as an Entity with vulnerability profiles and network characteristics (like how does it communicates in the network and with what protocols and what kind of services it provides, impact of these protocols/services in the event of a failure etc).
So, the idea of an Entity is clear it’s identifying the ‘thing(s)’ in your enterprise or outside with a certain set of characteristics. Now let us look at what’s an Atomic Event and how does it ties two entities together.
Atomic Event
An Atomic Event is created when any of the two entities talks to each other. Atomic Events can’t be broken down further. For Example a Firewall Network Status Event (Connection open or Connection closed Event).
Conversation
Grouping of Atomic Events in a specific environment (Zones) and context creates a conversation. Read the Part 2 of this series to know more about various types of Conversations.
References
[1] The Merriam Webster definition for an Entity is
independent, separate, or self-contained existence
the existence of a thing as contrasted with its attributes
something that has separate and distinct existence and objective or conceptual reality
Work in Progress ......