Monday, March 16, 2009

Where's the Intelligence?

One of the most crucial and overlooked areas in information security is intelligence gathering. Let’s face it the guys who do this well are physical security practitioners. They know if they get this wrong someone could end up dead.

Intelligence informs us to make better risk management decisions. It buys us time and gives us an opportunity to react. Without it we end up making bad and potentially harmful decisions not to mention mistakes.

We've gotten better at identifying our assets and modeling threats, however we've made little head way in dealing with threat agents and the threats that they pose. They become vague and generalized assumptions.

In some sense rather than dealing with them, we've tried to outsource the problem with technology i.e. IDS, IPS, DLP, SIEM, etc. At best we now known when something bad happened but only if we were looking and if we knew what to look for. Problem is we can’t see much anyway because we’ve been encrypting anything that moves, oops! At least we'll be getting fewer alerts to action and the management reports are all green now.
But can we collect intelligence about threat agents and threats within the organization? Yes and we’ve been doing a good job in the application space for ages with behavioral systems i.e. fraud detection. But what about the rest of the stack? This has proven to be very problematic as anyone who’s ever tried to build an all encompassing log management system will tell you.

Indexing log events across the stack is a promising new paradigm. Although not a security vendor, Splunk have developed a technology that does just that. If you could index your landscape you could now ask it very interesting questions for example “show me all the users who accessed the network but didn’t log on via RAS or the access network”. We're literally sitting on volumes of useful intelligence that end up on tape.

We've been having a lot of fun with Splunk recently, we've developed a connector for SAP NetWeaver. It's going to be interesting to see how this new paradigm is exploited by security vendors and pracitioners.

Drop me an email at if you are interested in playing with the SAP NetWeaver application.

1 comment:

  1. You are right the notion of chance discovery is missing in todays systems. We only know about the things we are looking at. The system cannot identify them for us and present them to us. Very thought provoking article.