As much as we would like to think that we can trust all our colleagues and employees, Insider Threat is a large concern. People within a company - employees, management, and contractors - are given access to information and assets as a trusted member of our organization. This access gives them the capability and opportunity to make negative choices by either stealing something of value, or sabotaging to cause harm.Read More »
The human perceptual systems are pretty darned amazing. Without our conscious control the brain acts to gather the information needed to construct and mold our perception of reality.
Consider our vision. When something first catches our eyes our brains begin to try and figure out what it is we are seeing. Unconsciously our brain starts jerking our eyes about to gather the information needed to correctly classify that something. This is known as "saccadic eye movement" or "eye saccades".
When we first see a face, our motor cortex takes control over our eyes in order to collect up corroboratory information. Basically, our brain says, "If this is a face, I should see a nose here, an eye here, another eye over here, and a mouth here." Each time the eyes jerk from one location to another, they are collecting information that can confirm or nullify that you are looking at a face.Read More »
Artificial Intelligence for InfoSec (AI) has wavered up and down in reputation over the decades. Sometimes it is seen as being on the brink of great breakthroughs. At other times it is seen as an impossibility. My opinion is; it’s already here. Mostly due to my definition of AI.
Defining Artificial Intelligence for InfoSec
Alan Turing’s definition was written in his paper “Computing Machinery and Intelligence.” He proposed a test that defined AI by judging whether or not the behavior of the machine was indistinguishable from that of a human.Read More »
Any cybersecurity analyst will tell you that there is a huge need to reduce the amount of false positive alerts they receive every day. In the first part of this blog series we described an Incident Response (IR) team that, instead of focusing on true threats, was all-to-often running down “suspect ping” alerts caused by harmless software updates.We discussed using ontologies to model alert data in graph form. By putting the original alert data into graph form, and using a description logic reasoner, Dark Light™ is able to apply expert knowledge to make inferences. In the case of the “suspect ping” problem, we use knowledge about related processes to reason if the alerts should be ignored, or classified as truly “suspect”. Read More »
A cybersecurity analyst recently said to me, "Bad guys don't do normal things." He was explaining his thought process behind a particular automated alert. Specifically, he was describing a Splunk alert that notified his team whenever a ‘suspect ping’ process was detected on one of the more than 20,000 devices within their enterprise. This particular alert detected whenever any Windows host executed the ‘ping.exe’ process with a ‘-n’ argument.
For example: ping 18.104.22.168 -n 1 -w 1000
The peculiar invocation above is not likely to be used by an IT person doing normal network troubleshooting. This non-default command, to send a single ping, might be indicative of malware or an intruder probing the network. This abnormal execution is what makes the ping interesting to a cyber network defender. At the mentioned organization, simply running the above command would be enough to launch a brief investigation by the Incident Response (IR) team.Read More »
Cyber Security Automation; Where to Start
The short and quick answer is; you start with the most impactful tasks. These are the tasks that will bring the highest value and return on your investment in the shortest period of time.
When automating your Security Operations Center (SOC), tasks in an effort to deal with high volumes of appliance events and alerts, you'll likely find that analysts will have tightened the criteria on what triggers an alert to be sent to them. This action will provide the analyst with the highest priority alerts.Read More »
I've had the pleasure of working alongside of some really smart and talented cybersecurity analysts. In this environment where there is a severe shortage of such people, they are frequently getting calls from headhunters who would like to recruit them into a much better paid position. I've seen more than one finally succumb to the "greener grass" on the other side of the fence.
Companies are experiencing this "brain drain" right now, and there is a lot more to come. They're losing knowledge and experience that takes years for a really good analyst to acquire. Sadly, it is the kind of knowledge and experience that can only be learned within the enterprise which they protect. Knowledge in three key areas is required to be one of the best; 1) network security, 2) threat intelligence, and 3) perhaps the most important, contextual knowledge of the enterprise itself.Read More »
In the previous blog post I let it be known that the cybersecurity analyst is the fundamental answer to many of the current problems of today. These analysts have been fighting the good fight. They’ve won some battles and lost some battles. They carry their experiences forward to apply to the next round. My point is that their experience and knowledge is incredibly valuable.
Here is a problem for us to consider: the number of cyber-criminals is increasing, and the number of cyber analysts isn’t keeping up, there is a huge shortfall in our protection from criminals and terrorists. How are we to balance this equation? Educational institutions are scrambling to meet the challenge. Government is sponsoring programs such as Cybercorps to help by providing stipends and tuition to potential cybersecurity analysts. But it is a technical and challenging subject matter, it takes time to learn.
The answer is that we have to apply more cybersecurity wisdom than the bad guys can apply cyber-malice. Given that the growth in the number of security good guys is outpaced by the number of bad guys we have to automate the actions of the good guys. How do you automate wisdom?Read More »
Some cybersecurity analysts amaze me. In fact, in broader terms, experts amaze me. When you see an expert in action they frequently make very difficult things seem so simple. Their experience has honed their skills to the point they can understand very confusing scenarios. In particular, cybersecurity experts can intuitively recognize suspicious actions and network conditions that mere mortals can’t.
They are so impressive because they have learned in great detail the ins and outs of their enterprise’s network, the enterprise business, and the people of the enterprise. Somehow, they are able to recognize suspicious and malicious things seemingly instinctually.
This is where Knowledge Representation and Reasoning (KR&R) comes into play. With KR&R we are able to capture the expert’s knowledge and logic in such a way that computers can use it. It makes absolutely no sense whatsoever to just ignore expertise such as these cyber guys have accumulated. Why reinvent what is already so powerful... human knowledge and logic?Read More »