Half-Baked Security Approaches: What Cybersecurity Can Learn from Legal Weed


There are plenty of examples of behaviors in everyday life that can be either legal or illegal. An easy example is marijuana. To determine whether or not somebody is illegally using the substance in the United States, you’d have to know (at least) which state they’re in, potentially their medical status, potentially their age, and the policies of their current specific location. Context matters tremendously, and just knowing that a person is using the drug is definitely not enough information.Others are likely not going to report the incident if they don’t have most or all of the information, as their information is of low confidence. Imagine if every time somebody observed a person using marijuana, they immediately called the police?

Given this physical world example, why is it acceptable that the digital world—specifically detecting security incidents—is full of low-confidence reporting? In just about every way we have a more complete picture of the environment, but yet we still spew half-baked (no pun intended) low-confidence alerts as fast as we can. It should be obvious that in order to deal with this scenario, a huge amount of effort should go into providing higher-fidelity alerts contextualized across multiple facets of a system.

Relating back to the original concept, alerts that only look at an event (whether network, endpoint, or interaction) in isolation are much less likely to be high-fidelity. For example, if Joe gets access to a new source of highly-restricted data at work (for a new project he’s on), systems that look at that event in isolation will notice it as an anomaly and immediately alert. However, simply accessing something new is not interesting in isolation. If, instead, Joe transfers that data to his work phone via Bluetooth, takes it home, and uses Gmail to send it to a competitor, that isinteresting. It’s the connection of these separate concepts that—in isolation—should not be that interesting where things start to become clear.

Therefore, we need ways to identify these behaviors as related, even though they’ll potentially be across different platforms, data sources, and devices. In addition, such information requires us to have either temporal or—much better—content-based knowledge about the content of such isolated behaviors. If we identify that Joe accessed Gmail on his work phone on the same day that he had access to new highly-restricted data on his work computer, it’s likely that we’ll have identified Joe simply sending an email in his personal time. However, if we can identify that it is the same data (or even—since it’s likely to be encrypted—roughly the same size of content being transferred) in this chain of events, then our alert is much more promising. Better yet, if we can identify metadata about the file being sent from the phone—through antivirus, perhaps—our fidelity increases even more.

So where does this leave us? Context is everything. Connecting the dots between indicators of interesting activity across different aspects of an environment—from external to intra-network to device—is the way to provide unparalleled alert fidelity. Interoperability between products is extremely important to getting to the next level of security capability. Will the first company that nails cross-technology integration, contextualization, and interrogation win the day?

About the author: Having used Wireshark ever since it was Ethereal, David has been analyzing network traffic for well over a decade. He has spent the majority of his professional career understanding how networks and applications work, currently as Principal Threat Researcher for Awake Security. David holds computer security degrees from the Rochester Institute of Technology (BS) and Carnegie Mellon University (MS).

Copyright 2010 Respective Author at Infosec Island via Infosec Island Latest Articles "https://ift.tt/2DX0GhE"

Comments

Post a Comment

Popular posts from this blog

Evernote cuts staff as user growth stalls

Image
Note-taking app Evernote has fallen on hard times of late, culminating in its latest spate of job cuts impacting 15 percent of its workforce (54 employees). CEO Chris O' Neil -- an ex-Googler who took the reins in 2015 -- announced the firings at an all-hands meeting earlier today, reports TechCrunch . In a message on the Evernote blog , O' Neill admitted he'd set "incredibly aggressive goals" for the company in 2018. He continued: "Going forward, we are streamlining certain functions, like sales, so we can continue to speed up and scale others, like product development and engineering." The layoffs follow an exec exodus just weeks ago and the company's recent brand refresh (complete with a refined logo and wordmark). But critics are more concerned about its product, especially the free tier, which they claim lacks the perks to
Read more

The best air conditioner

Image
By Liam McCabe This post was done in partnership with Wirecutter . When readers choose to buy Wirecutter's independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here . After six summers of researching, testing, and recommending window air conditioners, we've learned that quiet and affordable ACs make most people the happiest—and we think the LG LW8016ER will fit the bill in most rooms. This 8,000 Btu unit cools as efficiently and effectively as any model with an equal Btu rating, and runs at a lower volume and deeper pitch than others at this price. Little extra features like a fresh-air vent, two-axis fan blades, and a removable drain plug help set it apart, too. The LG LW8016ER is a top choice for an office or den, and some people will find it quiet enough for a bedroom, too. If our main pic
Read more

We won't see a 'universal' vape oil cartridge anytime soon

Image
Pre-loaded cartridges of cannabis concentrate are currently among the most popular means of consumption, and for good reason. They're discreet to use and easy to handle, a far cry from the dark days of 2016 when we had to dribble hash oil or load wax into narrow-mouthed vape pens by hand. But, frustratingly, an ever increasing number of oil cartridge manufacturers employ one-off design standards so that their products won't work with those of their competitors, thereby locking customers into proprietary ecosystems. We've already seen this with nicotine vaporizers -- which has a seen a massive rise in "pod systems" in the last few years, each outfitted with a unique canister and battery built to be incompatible with those of their competition. Is it too late for the burgeoning cannabis industry to set a universal standard for their product designs?
Read more