Monday, August 30, 2010

Success

The other day, I was having a conversation with someone who used some of my jumping off points on one of the large, enterprise networks they monitor. They were shocked that the jumping off points were able to identify some truly sketchy traffic on that network (serious compromises). They said to me, "your theory really works!". To which I replied, "it's not a theory -- it's been tested and proven repeatedly." Another believer.

Monday, August 16, 2010

Elegance in Brevity

It seems to be a common misconception that in order for a solution to be value-add and useful, it must be cumbersome and complex. I'm not sure why this is, as in practice, I've found this to be quite the opposite. There is elegance -- and usefulness -- in brevity. For example, many cyber security teams struggle with what information they should share/pass around to other teams to be good netizens and collaborators. Well, for starters, why not pass around malicious domain names and malicious code MD5 hashes? True, this is not the whole kit and caboodle and doesn't tell the whole story, but if we all shared even just those two pieces of data, wouldn't we be better off as a community?

Some interesting food for thought.

Monday, August 2, 2010

Spotting a True Anomaly

The other day, I was boarding an 8 AM flight with a cup of coffee (purchased after the security checkpoint) in my hand. If you've ever taken an 8 AM flight, you know that you're probably leaving for the airport around 6 AM. Wanting to take a cup of coffee on the flight with you is not such an anomaly. In other words, it's a very expected type of behavior. Nonetheless, TSA pulled me aside as I was waiting to board, in their words "because you want to board the plane with a cup of coffee, we will need to vapor test your coffee". They proceeded to hold what looked like litmus paper over the coffee. They then sprayed the paper with some clear liquid and pronounced my coffee free of harmful vapors. I was then free to board the plane.

There are few issues with this logic:

1) One is allowed to purchase liquids after the security checkpoint and bring them on board the aircraft. This is an accepted behavior that is seen frequently and has been identified as legitimate by TSA authorities. Functionally, this is a white listed behavior. So why waste precious TSA personnel cycles on it?

2) If I wanted to mix something into the coffee to produce some sort of harmful vapor, I would wait until I was on the plane to do so. Why would I waste precious vapors before boarding?

3) I could just as easily order coffee on the plane, mix something into it, and have the same effect without TSA being able to vapor test my coffee. The TSA test is easily avoided.

So, you're probably asking yourself what relevance this has to this blog? In the above example, the TSA inspector (the analyst in this example) pulled me aside for what he considered an anomalous behavior. The problem is that my behavior was routine, legitimate, widely accepted, and easily explained behavior. It wasn't a wise use of precious analyst cycles.

It works the same in the cyber realm. We need to make sure we optimize analyst workflow so that analysts spend most of their day chasing down true anomalies that have no easy explanation, aren't routine, aren't legitimate, and aren't widely accepted. There are a lot of ways to generate fruitless leads for analysts to chase down. The challenge is generating actionable, focused leads. That's where taking an analytical approach can help.

Moving back to the physical realm, I hope the good folks at TSA will take a good look at the value-add of some of these procedures. TSA personnel's time is valuable and limited. They should be focused on procedures with high value-add.