Security is a Holistic Proposition

Gorka Sadowski

Subscribe to Gorka Sadowski: eMailAlertsEmail Alerts
Get Gorka Sadowski via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Top Stories by Gorka Sadowski

APTs, Advanced Persistent Threats, are the anti-script-kiddies approach to penetrating an environment. Can static rule-based correlation catch these? APT Attackers Love Correlation Environments You remember that "False Sense of Security," the feeling that you are secure, but in fact you're not...? Attackers know that an attack is a process, it is not an event. And they use this - and they use time - to their advantage. They use time scales that static rule-based correlation simply cannot cope with. If you want to correlate disparate events, you need to keep state information on these events, and of course the longer you need to keep the state, the more expensive it becomes, expensive in RAM, CPU, storage etc etc., to the point where it is not affordable anymore. Did you know that many/most static rule-based correlation engines cannot keep state for more than a few mi... (more)

Preventive Security Through Behavior Modification - Part 3

This week let's review why logs are such a popular and powerful tool when performing forensics, and how to insure that investigators are working from a clean stream of data. Logs used in forensics have several distinct advantages. First, logs can be used not only to solve the IT crime, but also as evidence in a court of law, provided that they have been properly managed. Second, logs are widely available. Logs have been around for the past 25 years and today all electronic equipments are capable of generating logs. Third, best practices for log management are mature, all system adm... (more)

Why Rule-Based Log Correlation Is Almost a Good Idea... (Part 5)

Performance Tolls - Why you cannot correlate 100% of your logs...? Compounding the combinatory explosion in the number of static-based correlation rules, it is impossible to correlate 100% of all your logs, it is just too expensive and not practical. Read on... A correlation engine works really hard, even when dealing with a limited set of scenarios: Each scenario requires lots of rules and exceptions, and most of these rules need to be interpreted further as dozen, if not hundred of simple checks and tests. For example, you may want to flag loops with a simple rule such as "IP O... (more)

Conclusion: Why Rule-Based Log Correlation Is Almost a Good Idea...

During these past few weeks, we have looked at several reasons why a static rule based correlation is not the "SOC in a Box", end-all be all that many thought it was. Indeed what to think about a "solution" that: Can only address a very limited set of attack scenarios Requires meticulous consideration on how to map out the few selected attack scenarios Doesn't guarantee you to catch attacks in progress even when one of the few selected scenario is taking place Obliges you to think of minute details to slightly reduce false positives Yields hundreds and thousands of basic correlat... (more)

Fraud Detection, Financial Industry and E-Commerce | Part 4

Catching fraud rings and stopping them before they cause damage is a challenge. One reason for the challenge is that traditional methods of fraud detection are either not geared to look for the right thing: in this case, the rings created by shared identifiers. Standard instruments-such as a deviation from normal purchasing patterns- use discrete data and not connections. Discrete methods are useful for catching fraudsters acting alone, but they fall short in their ability to detect rings. Further, many such methods are prone to false positives, which creates undesired side eff... (more)