Security: It’s All About Philosophy

Sandy Lii Perimeter security solutions are like the walls of a fort: companies have been trying to strengthen these proverbial walls, building them as tall and as thick as possible. But realistically, how tall and thick can these walls be without impacting daily functions? And are these walls really stopping all the intrusions?

Sadly, the answer is no.

Just like bad guys don’t usually knock on your front door, identify themselves truthfully, and wait to be invited in, many of the security threats disguise themselves well and aren’t immediately known to us.

So how do we get rid of these threats without building the walls so high that we no longer see the sun? It’s all about philosophy.

It all happened at a lunch, where our Senior Director of R&D, Jason Fredrickson, suddenly went all philosophical and started to discuss the relationship between deductive/inductive reasoning and intrusion detection mechanisms. Deductive reasoning, the basis of traditional signature-based intrusion detection solutions, is used to reach logically certain conclusions based on general statements. For example:
  1. If a man with a knife shows up at your door, then he will rob your house.
  2. The man coming in did not have a knife.
  3. The man will not rob your house.
Little did you know, just like rootkit malware, the man actually stole the spare key hidden under the door mat, used it to unlock the door, and took all your valuables.

Inductive reasoning, used by behavior-based intrusion detection, however, states it this way:
  1. If a woman unknown to you appears in your house, there is a 60% chance that she will rob your house.
  2. There is a woman unknown to you in your house.
  3. There is a 60% chance that this woman will rob your house. Consider calling the police?
Just as with anything probabilistic, inductive reasoning works well when the sample size is reasonably large. Many tools in the market then proceed to monitor network packets or look at log files to detect anomalous behaviors. But just like not trusting the house key in that man’s hand, how can you trust the information if the device has already been compromised? As I mentioned in Big Data Starts Small, at the Endpoints, many of these threats are buried beneath the operating systems, deep in the kernel. To accurately derive normal behavior and pinpoint the outliers, there is a need to look into the endpoints (servers and end-user devices) to get to the heart of the threats.

In the next blog post, I will go into the challenges of implementing Big Data for security analytics. 

No comments :

Post a Comment