Simon GibsonThe goal of any advanced anomaly detection, machine learning, or behavioral analytics tool is to analyze network traffic and alert when it sees a bad thing. The key, however, is knowing a bad thing from a good thing. That knowledge—of good versus bad intention—is the holy grail of information security.
Got CIA?
First things first. Unless you are assured confidentiality, integrity, and availability (CIA), it’s impossible to determine good versus bad intent. CIA is the gold standard triad that drives security decisions because it’s these three attack vectors that cybersecurity protects.
To explain, let’s say you’re a CEO. You’ve got an hour before a board meeting and you need a way to confidentially get your company’s top secret financial data off a file server so you can report the quarterly numbers to the board without fear of being overheard. When you assume you have confidentiality, you act one way; if you think there’s a possibility of being snooped on, you need to operate differently.
Same goes for integrity. Can you trust the data coming off the file server? Is it accurate? Could anyone have altered the numbers?
And finally, availability. Can you always get to the data you need? Do you have adequate bandwidth? Do you have enough servers? Are they always up? Do they break? Can you be sure that systems are getting the right data to the right people?
If any of these CIA elements is broken, it is very difficult to determine a good thing from a bad thing. You’d be left questioning: Did the system fail because we were attacked? Or did it fail because one of these elements is broken?
However, if all three are working well, you have a solid cybersecurity foundation and can begin to dissect intent.
A Classic Tale of Good Versus Evil
Let’s think about an easy example of determining good from bad intent.
You come into your office on Monday morning and are notified that you need to change your network login password. You’re busy, you don’t have time, you forget about it. Tuesday, Wednesday, Thursday pass. On Friday afternoon, you get a final notification that you need to change your password before the end of the day. You’re just about to leave the office for the weekend, but you stop and change your password.
The following Monday, you arrive at the office, go to log in, and can’t remember your new password. You try three, four, five different password combinations, nothing’s working, your office phone rings. It’s the IT helpdesk—they see you’ve been having some trouble. You tell them how you changed your password on Friday, but now can’t remember it. Luckily for you, the helpdesk also sees that you’re badged into the building and they proceed to help you reset your password. Heigh-Ho, off you go, back to work, what a great helpdesk.
. . . because even if you hadn’t been at your desk when they called, they would have guessed that someone else was at your desk trying to break in or that a remote attack was happening against your account, at which point they would have escalated the issue to the security department.
That’s perfect security.
Unfortunately, it’s not always so easy. And one of the tricky parts is that every network is different. What may be good on one may not be good on another. Each has its unique good-bad intent threshold.
In some cases, having clear-text credit card information on a network would be terrible. However, if you’re a payment processing company with a PCI-certified network, it’s not only okay to have credit card data flying in the clear on the network, it’s a necessity. It all comes down to context—derived from having complete visibility into network traffic.
The Good, the Bad, and the Unknown
Designed to create a good versus bad baseline of intent, anomaly detection and behavioral analytics tools go onto a network, run for a few months, and come back and say, “Okay, here is the behavior and types of applications we see. Now, you tell us what is good, what is bad. Then, when we see something that deviates, we’ll alert you.”
The problem is that everyone of these tools ends up having a bucket called unknown. So even if the tools have analyzed a network, there’s always this lump of traffic that’s left uncategorized. The reason, namely, is that when behavioral analytics tools only see partial traffic or partial conversations, they fail to identify the type of traffic. And, for all intents and purposes, this incomplete view renders them—and other security tools—useless.
Whether a malware protection tool is trying to determine if an executable is good or bad or a data loss protection tool is trying to decide if a document should be allowed to leave a network, they need context (i.e., 100 percent visibility into the traffic traversing the network) to make a decision about good or bad.
My mantra: If I can’t get a tool the traffic it needs in order to operate effectively, why buy the tool? It’s time to find another solution.
But remember, choose wisely.
