Security frameworks generally agree that the primary activities organizations need to engage in with regards to information assets are to:
- Identify Assets
- Protect against events compromising confidentiality, integrity or availability
- Detect incidents
- Respond to actual incidents
Unfortunately, most tools and methodologies are reactive vs proactive or predictive. Security Incident Event Monitoring (SIEM) tools allow retroactive correlation and review of past events. Intrusion detection (IDS) and intrusion prevention (IPS) systems are also reactive.
IDS/IPS solutions are either signature based or anomaly based. Signature based IDS/IPS are analogous to antivirus systems which most of the public is familiar with by now. These systems detect security incidents against a known database of threats. They do little to nothing to protect against unknown or as of yet undiscovered threats. Signature based systems are generally static, non-adaptive, and prone to false negatives.
Anomaly based systems on the other hand detect anomalies against a known baseline of what is expected. In other words, they attempt to sort out what is normal vs. what is not normal and have a significant shortcoming: they are prone to false negatives because the baseline against which they compare is of questionable value.
Systems which combine signature as well as anomaly based detection would at first glance seem to be the best of both worlds. Indeed this is an improvement and many current solutions in the market are hybrid solutions. However, there remains the issue that these systems are still reactive and not predictive.
Is it possible to predict malicious intent? I think that it is. In order to illustrate this view, I am going to radically jump off topic with a comparison which I promise will be brought back to the point at hand.
Decades back, in an earlier career before the dawn of the PC and certainly before the Internet as we know it today, I had an earlier career as a broker managing client stock, options and commodity accounts. At that time, I was curious about predicting the direction of the markets, or any specific stock or commodity. However, most chart patterns and technical analysis as it is called try to use price to predict price. Sometimes it works and we get lucky, but most often, it is folly to predict price with price; something else is needed.
What if we were able to analyze behavior of the major players in the market? The best example here is with commodity markets such as oil, natural gas, wheat, cattle, etc. where the commercials, or large traders in the market are required by regulation to report their positions. Now, we have something substantial and relevant besides price with which to predict price.
It is far beyond the scope of this article to go into examples, but for anyone who cares to investigate, it can be proven that such a behavioral indicator does indeed predict the future direction of a particular market.
I promised to come back to the subject of information security and predicting malicious events and here it is: What if we were able to devise a system which factored in signatures, anomalies, and behavior? Such a system would in fact become predictive vs. reactive.
Behavioral analysis must also consider differences between internal vs. external threats. While behavioral analysis must look at level of deception for both, internal and external threats, for internal threats, we must consider intent to do harm, and for external threats we must also consider the level of expertise applied.
Hopefully, the points raised here stimulate some thought. I would welcome hearing from anyone who has tried or is implementing such a system on an enterprise scale. (Other than our NSA!)
For a deeper read on the subject, I recommend:
Predicting Malicious Behavior: Tools and Techniques for Ensuring Global Security
– Ted Lloyd, CISM