Anomaly Detection: Front-Door Infrastructure Security

Sunday, September 23, 2012

Larry Karisny


The Digital Communities article "Have Hackers Won?" -- with Columbia Computer Science Professor and Federal Trade Commission Chief Technologist Steven Bellovin -- gave a clear explanation of security limitations because of the size and complexity of buggy software code, and limitations in authentication and encryption.

"Authentication won’t do it," Bellovin explained in the article. "In most breaches, the bad guys go around the strong authentication, not through it."  He went on to say that as part of a national study, he analyzed every CERT advisory issued up to 1998 and found that 85 percent of them were code problems, configuration errors, etc., that encryption couldn’t fix.

While this may be a difficult problem to address, it is not impossible. It does, however, require a new way of looking at what real security is and how to effectively secure business process information.

Understanding True Security

While technology has delivered benefits, it has also delivered a new set of security risks and business problems, including large volumes of questionable data; vague accountabilities, and ongoing maintenance of business rules, to name a few. As we have digitally automated our business and control processes, we have reached a point of complexity from which it is impossible for a manager to see the-day-to-day actions of these processes or even detect a security breach.  New visualization tools are necessary to assist managers if they are to accurately and effectively direct these business processes.  This is where anomaly detection will help. 

Photo from Shutterstock "Outlier Detection"

Currently, data collection, buggy code, network encryption and authentication are all viewed and audited at the system output level. Real-time system data and unwanted business events could be detected too late in this type of security system. Security then must be viewed, audited and authorized at the event enterprise input level to achieve higher security levels required for critical infrastructure.

Our current security systems are collecting so many security no's at the output level that intrusion prevention and detection systems are reaching the point of overload. To date there have been over 17.7 million viruses detected.  Add bandwidth eating high-end encryption to the mix and things are eventually going to start slowing down. So how do we handle all these security no's?  The answer to this problem is simply say yes.

It's almost impossible to manually watch, detect, audit and correct all these business activities in the complexity of today’s business processes.  Even when doing this through coordinated government compliance like NERC and SIP in securing the power grid, the minute we think we are done and walk away something changes.  These compliance processes cost a lot of money, take a lot of time and can’t guarantee security anyway.

So what if we could create an anomaly algorithm that could audit, detect and approve positive input events in business processes. And if we could do this then wouldn’t risk management and security actually just be a byproduct of allowing these positive business events to occur?

"Anomaly detection," says Wikipedia, is also called "outlier detection" and refers to detecting patterns in a given data set that do not conform to established normal behavior. The patterns thus detected are called anomalies and often translate to critical and actionable information in several application domains. 

In the workplace predetermined activities of employees, information systems and combined human and information system events produce specific desired business process results.  Anomalies are tools that can specifically detect and audit the defined patterns of these combined human and system activities.  A change in the normal pattern of these activities can offer a business manager very specific information that can assist in improving the business process or even detecting a major business or system breach.

Real-World Fix

This may seem like security fantasyland or something that is still on the drawing board but it’s not. The problem is not that it is not available or it doesn’t work. It is available.

Like most paradigm shifts it takes awhile for people to get it and human nature sometimes confuses threats with benefits. We need to start leveraging tools that can view, audit and improve business processes and improve security at the same time.

Larry Karisny is the director of Project, a smart-grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.

Cross-posted from Digital Communities

Possibly Related Articles:
Industrial Control Systems
SCADA Authentication Log Management Network Security Intrusion Detection IDS/IPS Industrial Control Systems Anomaly Detection
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.