This post is one of a series looking at what we can learn from what is actually said by real people working on real problems in the cyber security industry (hence “cyber security quotes”). Below we consider the feedback, thoughts, opinions and views at the front line of cyber security – the things that are said by security operators and analysts who monitor and defend systems from attack and deal with incidents when they occur.
Cyber Security Quotes: The word on the street (or in the SOC)
Cyber security is a people, process and technology challenge. Sometimes the tools and processes don’t work as well as they should, or they solve the wrong problems. The best way to resolve or improve this is to listen to what the people have to say. A bad process or a technology limitation won’t always be evident until someone tries to use it – and these “cyber security quotes”, once understood, become valuable insights.
Overwrought cyber security quotes: “There are too many alerts and reports to deal with”
One challenge security operations teams face is that the volume and rate of cyber security attacks and alerts has grown to the point where the sheer numbers are difficult to deal with. The reasons for this are chiefly:
- The growing complexity and reliance on technology systems;
- The increased exposure through different attack vectors – where once there was a web site and a firewall now there are multiple flows of bi-directional data, Internet, third party and wireless gateways, users with their own devices as well as company issued ones, and data and applications in the cloud;
- The increase in sophistication and industrialisation of the attacker community; malware and botnets are available as services, the market is complex, functional and global – ransomware, phishing attacks and intrusions have evolved to a level of advancement where the baseline, simple controls do not provide a defence.
A contributing factor to this, is our response to these realities. The security industry has been creating a range of new technologies that detect more types of attacks and the same attacks more effectively – hence even on a level playing field we are finding more attacks to respond to.
|
NO. OF ALERTS
|
=
|
OPPORTUNITY TO ATTACK BE ATTACKED
|
x
|
SIZE / SKILL OF ATTACK POPULATION
|
x
|
DETECTION RATE
|
In short, as this particular “cyber security quote” illustrates, there are too many alerts and reports and threats to deal with.
Curious cyber security quotes: “That looks interesting”
When overseeing a network or an “ecosystem” of security controls, the signs of an external attack or internal misuse are often not evident, sometimes the indications that all is not well are manifest in ways that surface only because “they look interesting”.
There might be a call centre operator who seems to be accessing a larger number of customer records than normal call volumes would indicate, or an email user sending an abnormally large number of emails, or a strange pattern of web site navigations, or a network session that is open for a long time but isn’t carrying very much data.
Any of these, as well as a variety of other signs, could mean a system or network is under attack or that data is being lost or accessed. However, there are three challenges buried in this quote that must be recognised:
- How do we look? – In order to see the anomalous activity we need to be looking or aware of what normal is like and be able to view the stream, activity, operations, navigations so that we can actually see what is usual or unusual;
- Is it interesting? – To determine that something is interesting we have to be able to notice it in some way, it has to be evident. In cyber security circles this is sometimes called “surfacing the threat” where you engineer a situation, technology or process so that these events become notable and hence can be deemed interesting. This is hard to do, particularly when it’s a manual process;
- Does it look interesting or not? – The last challenge is that of subjectivity. What looks interesting to one person might not to another (based on experience, technical background, level of observation skill, amount of coffee consumed). The quote implies an inherent lack of precision and objectivity. What we want security operations staff to say is “That is interesting because … ” which has a bit more objective assurance around it.
Computers go some way to solving this problem as they can do quite complex analysis over and over in a predictable and reliable way; however they aren’t as “tuned in” as the human mind is at spotting things that are “interesting” unless they have been programmed to do it, or as is becoming increasingly common, they have been programmed to “learn how to” do it.
Confident cyber security quotes: “I don’t think that’s anything to worry about”
When something is observed as worrying, or a possible intrusion is detected, it is not uncommon for the initial signs to be deemed as normal. This may be for a number of reasons, often lack of knowledge of what normal activity might look like or (more commonly) how the early stages of an attack actually manifest themselves.
In some cases it is as simple as being at the front end of several hours investigative work that will often lead to a false positive and the observer simply wants to avoid what is perceived as a long and rather complex trip down a blind alley when they have got more pressing (so they think) matters to attend to.
One example in a past data loss prevention deployment, identified a flow of network data on a port commonly used by peer-to-peer file sharing applications. There wasn’t a large volume of data involved and the true nature of the issue wasn’t obvious, but clearly suspicious.
The server was a documentation server so held a significant amount of material, but the server software itself could have used the protocol, or possibly there was a file sharing application installed by a system administrator to effect a simple backup arrangement to a separate solution, or to download a large software patch at some point. The IT team thought it may have been related to a past virus outbreak; an outbreak that had been fully eradicated so wasn’t anything to worry about. The possibility remained though, that it indicated an ongoing and deliberate data theft.
In any case, establishing the true nature was deemed to be “difficult” and the IT team’s response, in the absence of any corroborating evidence was “I don’t think that’s anything to worry about”. This particular case was left in the hands of Internal Audit to decide whether they trusted the finding or the responses of the IT team.
Over-confident cyber security quotes: “That’s nothing, you can close/ignore that”
Even more risky than just simple confidence that all is well, is the certainty that it is.
Maybe a constant string of alerts or reports of a similar type occur on monitoring systems and SOC dashboards, or maybe the past investigations into a particular stimulus have always turned out to be innocent… leading to the view that the normal system behaviour is to generate that kind of “detection noise”.
In this more certain case, the authority and surety means that what might be an attack, insider threat, virus infection or data loss is deemed not to be significant based on past or current similar cases or context. This approach of course fails immediately when an apparently familiar situation turns out not to be as benign as it is assumed to be. It is ignored purposefully when in reality it needed urgent attention.
There is a car alarm going off in a car park – no one runs over, no one calls the police, no one tries to find the owner. Everyone just gets annoyed until the noise stops and they don’t have to listen to it anymore.
Oblivious cyber security quotes: “We didn’t spot that until now”
Every year there are numerous surveys undertaken into various aspects of cyber security. One of the more interesting figures is the amount of time taken to detect a breach – not to investigate or to resolve, but just to detect that the network or system is under attack.
This figure is depressingly long (in every survey and in every year). If you imagine how much time a determined hacker might want to be able to access a network to extract data etc. maybe a few hours, a few days perhaps? Statistics often put the “dwell time” at tens or hundreds of days. A recent Mandiant/FireEye report gave a figure of 146 days as a global average.
Of course, in the case of each incident, as soon as the intrusion is apparent the incident response process swings (or more often ‘limps’) into action. However, in too many cases, this is several months after the attack – several months that culminate in the security team saying “We didn’t spot that until now”.
Non-committal cyber security quotes: “I don’t know”
The last frequently repeated expression: “I don’t know” is used all too often and too widely in the cyber security realm.
Sometimes followed by slightly more positive words like “… yet”, “… but I’ll find out” or “… let me ask someone”. However, the reality is that often there are more questions than answers when defending systems from attack. Hence any of:
- “What happened?”
- “How long has this been going on?”
- “What data has been stolen?”
- “Were the sensitive details encrypted?”
- “How many customer are affected?”
- “Who did it?”
Can be followed by “I don’t know” when the real world situation of a cyber attack arises.
Part of the reason for this is that often the origin and effects of an attack and the answers to these questions are hard to come by. It can be difficult trying to reverse engineer the nature of a breach or data theft, reliable information can be hard to track down and parse, the true chain of events might not be clear, and the attacker themselves could have deliberately tried to hide their presence, conceal their activities or disguise their motives. For example, they might transfer thousands of files simply to get one particular document, or compromise a number of systems just to find one that is used by a particular user.
Trying to minimise the number of times “I don’t know” is the only available answer is the real challenge of cyber security. Having information, analytics tools, skills, resources and the confidence to be able to answer with a much more robust “Let me run you through what we know…” is what we must aim for.
What do these cyber security quotes all indicate?
The meaning behind these various comments, assertions or denials is clear. When people talk about cyber security they are often equipped with a high degree of human bias, frequently a lack of knowledge (certainly compared to the attacker) and insufficient information, tools and resources to answer probing questions.
The solution therefore to be able to more confidently and accurately answer questions and convey assessments of cyber security realities and outcomes, must combine people and technology improvements within a more optimal process. Otherwise we will see continued surprise, confusion and naiveté in our cyber responses.
Products
Solutions by Industry
Learning & Resources
About Huntsman
