Another trite detection analogy.
So, I was out at the zoo with my kids yesterday. They were doing the usual running around, turning into some quantum cloud with me as the loosely defined nucleus, and I spent pretty much all my time trying to determine their positions (or at least their velocities) without having my eyeballs unscrew themselves from my skull.
In one exhibit, I saw a little boy wandering around. My parent-Spidey-sense tripped, because subconsciously I noticed that he was not within “proper range” of anyone who looked like his parent. As my kids herded themselves back outside, my Spidey-sense immediately spotted two women walking back and forth in the playground across the way, in a manner that I recognized as being Urgent. I figured these were the women looking for the boy.
I sent my oldest back into the exhibit to find the boy, and just then another woman came out leading him. Their body language clearly showed that they were not related, and she was looking around to find his parent. I pointed her to the other two women across the way, she took him over there, and lo and behold, everyone was reunited happily.
This all gets back to the importance in security of detection, because in Richard Bejtlich’s oft-repeated words, prevention eventually fails. Kids can and do get really, really excited and run off without another look back. (Which is why I write my cell phone number on my kids’ arms before we go off to a place like this.) In this case, detection worked well to solve the problem. But how did it work?
It was the Hinkiness Factor. In this case, it was a function of my noticing an outlier (a boy without a responsible adult in “range,” for some undefined value of “range"), and being trained as a parent to notice that outlier. (Which also explains why IDSes will never be that good at getting you the detection you need. A boy in a zoo exhibit? Just what you’d expect to see, right? Parents walking fast? Isn’t that normal when you’re chasing kids?) I put the rest of the puzzle together by putting a context around it, and identifying other symptoms that could be associated with it.
So you need someone who is trained to pay attention to what you want to detect, who is good at noticing things out of the usual context (i.e. something “hinky"), and who can pick other packets out of the stream to put the puzzle together. Remember: an intrusion shows up either as something “normal” coming from the “wrong” place, or something coming from a “normal” place but doing something “wrong.” It’s all in the context, and neither signatures nor baselining will completely cover that.
Now, I really need to work in something about neurotic lions and flamingo poop to round out this security analogy, but I think I’ll leave that as an exercise to the reader. Me, I’m still beat from chasing the kids around the zoo.
Posted by shrdlu on Tuesday, April 24, 2007(2) Comments • Permalink •
