Dan GriffinWelcome to the 30th edition of the JW Secure Informer, our bi-monthly newsletter. This is an opportunity to share what’s on our radar, specifically with respect to enterprise network security, but also regarding IT and business more generally.

The Informer is intended to be useful content and good for a quick read. So if it’s just clutter in your inbox, we’ve failed, and I hope you’ll let us know.

The Human Element of Cybersecurity Monitoring

In a recent article about Incident Response Management, Bruce Schneier defined security as:

  • Protection of access to assets
  • Detection of attacks against those assets
  • Response to those attacks

But, as Schneier points out, during the daily grind of IT operations (and even more so in the midst of a cyber-attack or data compromise), it’s easy to overlook the important details that make security effective. It takes the right balance of human attention and automation to protect an enterprise.

Protection of assets

First of all, a secure environment for high-value assets requires a complete inventory of those assets. This inventory is the basis of ongoing security operations, including the creation and implementation of a security model for asset protection. Maintaining an accurate inventory, and protecting those assets, requires a combination of IT tools and ongoing collaboration between business and IT.

Only the asset owner has the information needed to determine the value of the asset and who should have access to it. Frequently, the business group “owns” the data, but the data resides on systems operated and supported by one or more separate IT teams. So control of that asset is often delegated to system engineers in IT.

This introduces complexity, and complexity is the enemy of security. The more complex the system used to support the business, the more people will need access just to maintain security. The more people who have access to the asset, the harder it is to keep the data secure. To protect high-value assets, the maxim should be “Less is more.” The simpler the system and the fewer the people who have access, the more secure the assets will be.

Detection of attacks (SIEM)

Security Information and Event Management (SIEM) is the industry category name for systems that enable detection of anomalous IT system events. Events, or messages emitted by software, happen at a high rate in any computer system. The key to a successful detection system is to filter out the noise while triggering human escalation for events that indicate a violation of the business data security model. Unfortunately, this is where most security systems fail, because the right balance between too much and too little escalation is a constantly swaying tightrope.

False alarms are an underappreciated challenge in security. After just a couple, people will stop paying attention. The detection problem can be solved, though. Again, the foundation is your inventory, and the data flow and threat analysis that build on it. By prioritizing threats according to which assets and data flows represent the highest risk/value to the enterprise, you can determine what events from which systems represent threats that merit human evaluation. Any event that is detected by this filtering process should log an incident report that is tracked until it is resolved.

How to respond

In the two steps above, Protection and Detection, the best practice is to minimize human interaction. As many companies have recently and very publicly learned though, these steps are not enough. The most tragic failure occurs when the filters in the detection system create more incidents than can be evaluated by analysts on staff. Response requires human involvement, and it is vital that there is sufficient staff to effectively respond to any logged incident. This necessity makes response a user interface problem, and it can limit the effectiveness of current industry incident response programs.

Just enough detection

Let’s consider the scope of the problem as we look at ways to get the best out of systems that need to blend human and computer capabilities to achieve success. Our objective is to mitigate the impact of attacks against sensitive data handled by IT services. With de-perimeterization of the enterprise network, the source (insider or outsider) of the attack is no longer a relevant distinction.

jwsecure imagery

The above figure shows the parts of a Data Flow between a protected asset and a user trying to access it. Each service handling user requests and responses from protected assets needs to be secured to a degree that is proportional to the value of the asset. Events from each service are collected and fed into an SIEM system. Whenever an alert is triggered by SIEM, an incident is created and sent to a case management system for resolution by an analyst.

Unlike high-performance SIEM software, human analysts can be easily overwhelmed by too much data. Balancing detection abilities with analyst responsiveness is tricky, but it’s part of the cost of being able to detect new threats. It’s also why many commentators recommend that humans be kept out of the security loop. But the best security systems are optimized for some human involvement. Until we have machines that are substantially more intelligent that anything we have seen to date, we need to continue to train and deploy people to determine the importance of an incident and whether it requires immediate action.

Steps to stronger security

The detection process must deal with large volumes of data so that it can winnow out false positives without ignoring evidence of actual attacks. Security — including prevention, detection, and response — requires an effective balance of machine and human strengths. It all begins with a security review including the following steps:

  1. Document inventory.
  2. Create a Data Flow Diagram (DFD) for the system.
  3. Enumerate the threats that can impact the data in the system.
  4. Review the design with knowledgeable personnel to create use cases.
  5. Determine which events need to raise incidents.
  6. Start the system with alerts enabled, and be prepared for an initial flood of incidents.
  7. Evaluate the incidents to weed out those that will always be benign.
  8. Periodically test the system with simulated events to judge continued efficacy.

JW Secure personnel were part of the first effort to create systemized security for the Windows XP SP2 release, the most secure and widely deployed operating system of its time. This pioneering effort forged the secure development methods that are now widely adopted by developers of secure software everywhere. Let us bring our extensive security experience to your next project.

Contact JW Secure at sales@jwsecure.com to learn more about our expertise in creating secure enterprise solutions.