148Security Strategy: From Requirements to Reality
Detectors may incorporate multiple mechanisms to increase accuracy (i.e., reduce false detec-
tions). For example, a motion detector might be combined with an infrared detector so that a pet
passing through an area would not set off the alarm. For coverage purposes, detectors are often
redundant or overlapping. For example, a window switch combined with a glass-breakage detector
covers someone opening the window or breaking the glass to crawl through it. A beam detector
and carpet switch cover someone stepping over the beam. Detectors are often used to improve the
eff ectiveness of surveillance; for example, the opening of a door or motion in an area causes the
main video monitor to switch to that doorway or corridor. Detectors also have a resolution fac-
tor based on their false and true detection rates. For example, a door switch that claims the door
was opened when someone merely bumps into it is a low-resolution device because it is sending
out false positives. Conversely, a sticky switch that only reports some door openings also has poor
resolution because it is not detecting all events. Too much resolution can also be a problem; for
example, a smoke detector may be so sensitive that it goes off for ordinary events like burning a
scented candle.  e eff ectiveness of detectors is largely related to the controller to which they are
attached.  e controller must be able to properly interpret the detector signals and take the proper
action. Programmable controllers that support multiple input types are best.
e importance of having written operational guides and procedures for responding to events
cannot be overemphasized.  e timeliness and eff ectiveness of our response depend on peoples abil-
ity to take the right action quickly and to escalate those actions when necessary.  e purpose of sur-
veillance and event detection is to identify wrong or malicious behavior so that it can be responded
to and corrected. Coverage is vitally important; people and cameras need to be placed so that they
have an appropriate fi eld of view and eliminate blind spots. Detectors need to be in place to cover
Table 9.1 Common Event Detectors and Uses
Detector Usage
Opening switches Open or closed door, window, or other opening
Carpet/item switches Movement on a carpeted area, item being moved
Motion detectors Movement in an area, item being moved
Heat/infrared detectors Temperature change, fi re, presence of a heated body/
object
Smoke/gas detectors Fire, hazardous vapors, hazardous gas
Vibration detectors Wall penetration, earthquakes, explosions, movement
across an area
Membranes (e.g., silver tape) Wall penetration, glass breakage
Sound detectors Glass breakage, explosions
Moisture detectors Humidity change, fl ooding
Beam detectors (e.g., light,
infrared, laser)
Movement across an area or through an opening, item
being moved
Proximity detectors Movement near or approaching something
Operational status Failed, disabled, or sabotaged equipment
TAF-K11348-10-0301-C009.indd 148TAF-K11348-10-0301-C009.indd 148 8/18/10 3:09:28 PM8/18/10 3:09:28 PM
Did You See That! (Observation)149
all events associated with physical security (and safety). Event detection can be used to enhance
the eff ectiveness of surveillance by tying monitor focus to specifi c events. Resolution requirements
depend on what is being monitored; color is always recommended for video. Programmable con-
trollers and detectors with sensitive controls are recommended for event detection. Even the best
surveillance capability cannot improve security eff ectiveness if the observers dont interpret what
they are looking at correctly and dont respond in a timely and appropriate manner. Training staff to
be good observers and to correctly interpret detector events is essential. For additional information
on physical security controls, please see the Appendix—Physical Security Checklists.
IT Security
In information technology (IT), controls are deployed along the perimeter to protect data reposi-
tories and processing installations. e sentry element in logical security focuses on two areas:
malicious pattern detection and abnormal behavior detection.
Pattern Detection
Pattern detection compares activity to a set of signatures. A signature is one or more conditions
that, when matched, are indicative of malicious activity.  ere are four diff erent types of signature
matching:
1. Misuse (signature) detection—detects malware and malicious activity by comparing the
contents of an activity (e.g., le, message, packet, etc.) to a dictionary of signatures to detect
a pattern that matches or closely matches malicious activity.
2. Pattern matchingdetects malware and malicious activity by comparing the contents
of an activity to a fi xed sequence of bytes (characters) within a fi le, message, or network
packet. Patterns can be combined to improve detection; for example, if this is a UDP (User
Datagram Protocol) or TCP (Transport Control Protocol), IP version 4 packet with a desti-
nation port of 5554, it is very likely the Sasser worm.
3. Protocol decode analysisdetects malicious activity by fi nding patterns in a protocol that
are inconsistent with the standard. For example, a single open and two closes might indicate
a response splitting attack. Protocol decode analysis is often used with multiple patterns in
a single packet or content; it is also used across multiple packets (stateful).
4. Heuristic analysis—detects malicious activity or content using a problem-solving algo-
rithm and heuristic-based signatures. Heuristics typically takes the results of each analysis
and accumulates them until the total crosses a specifi c threshold that represents a high like-
lihood of malfeasance. For example, an e-mail might have lots of misspelled words, be just
images, come from a questionable-source domain, or have an odd subject line. One of these
conditions by itself might not mean the message is spam, but a heuristics match for two or
more would cause the mail to be classifi ed as spam. Heuristics can detect unknown attacks;
it is the only way to detect certain types of malicious activity.
e eff ectiveness of the tactic is based on the quality of the signatures. A signature that is
not suffi ciently unique will match legitimate content or activity and generate a false positive.  e
generation of a signature requires the analysis of the malicious code; until the analysis takes place,
none of the pattern-matching techniques will work e ectively except perhaps heuristic analysis.
Heuristics may be able to detect the presence of malicious content based on its similarity to other
TAF-K11348-10-0301-C009.indd 149TAF-K11348-10-0301-C009.indd 149 8/18/10 3:09:28 PM8/18/10 3:09:28 PM
150Security Strategy: From Requirements to Reality
types of malicious code. Pattern matching is commonly used in antivirus/malware solutions and
network- or host-based intrusion detection systems (NIDS, HIDS).
Anomaly Detection
Anomaly (profi le) detection detects activity that deviates from the “norm” based on a predeter-
mined defi nition of normal (i.e., a profi le). Detection can include an event, a state, a piece of con-
tent, or a behavior that is considered abnormal.  e profi le (baseline) is usually “learned” through
a statistical analysis of normal operational patterns. Most anomaly solutions will also allow behav-
iors to be programmed or imported into the system. Examples of the types of behaviors that might
be detected include the following:
Protocol anomaly—nonstandard tra c on an assigned port, for example, SSL tra c on the
DNS port (53)
Service anomaly—nonstandard service on an assigned port, for example, peer-to-peer fi le
sharing on the HTTP port
Application anomaly—nonstandard content in a data exchange, for example, Java script
embedded in an HTTP post
Statistical anomaly—disproportionate activity, for example, an inordinate amount of DNS
traffi c
Anomalies may be combined to detect additional conditions.  e e ectiveness of the tactic is
based on how well the profi le is able to characterize normal versus abnormal behavior based on
where this activity originated (internal or external network).  e profi le is a list of attributes and
associated values specifi c to the device being monitored. In other words, a profi le for a Web server
would be oriented toward HTTP and HTTPS protocol attributes.  e profi le must be created
and be stable before enabling the detection; otherwise a large number of false positives are likely
to result. A false positive (or false alarm) is an erroneous detection of malicious activity, when in
fact the activity was legitimate.  e oppositea false negative—is the failure to detect a malicious
activity when it was taking place. Anomaly matching is commonly used in network- and host-
based intrusion detection systems (NIDS, HIDS).
Intrusion Prevention Extensions
Intrusion Prevention Systems (IPS) are basically intrusion detection systems with proactive exten-
sions.  e extensions are designed to stop an intrusion before it can do any damage. Host-based
IPS hooks into the operating system kernel and Application Programming Interfaces (APIs) in
order to block malicious actions such as changing system fi les or confi guration and creating a new
account. Some versions have extensions that are designed to monitor applications as well. Controls
to prevent unauthorized changes to website fi les or registry settings are one example. One of the
best features of IPSs is their ability to block attacks that do not have a signature yet. On the down-
side, they are often so integrated into the operating system that doing OS upgrades becomes a
problem. Along the same lines, they need to be impeccably designed and coded so that they don’t
interfere with system operations or performance. Bill saw an example of this at a company he
worked with; the company had IPS running on its domain controllers, and every now and again
the servers would blue screen (crash). When the memory dump showed the faulting module to
be the IPS, it was removed and the problem went away. Unfortunately, the problem was diffi cult
TAF-K11348-10-0301-C009.indd 150TAF-K11348-10-0301-C009.indd 150 8/18/10 3:09:28 PM8/18/10 3:09:28 PM
Did You See That! (Observation)151
to fi nd and fi x, and after a couple of tries the vendor gave up and subsequently lost the account.
Network IPS functions like an advanced fi rewall; intrusion detection (IDS) is passive—it just
monitors tra c as it passes by—but there’s no way to block malicious tra c. To block traffi c it
must travel through a device like a fi rewall. When network IPS detects malicious tra c, it refuses
to forward it and usually resets the connection as well. Some devices also add the source to an
Access Control List so that subsequent packets are dropped as soon as they arrive.  e advantage
of this con guration is that the malicious content never gets delivered to the target system.  e
downside is that tra c must go through the device, so it becomes a potential choke point and
a single point of failure. Because IPS uses a signature-based detection system, its e ectiveness is
based on the quality of the signatures provided. Quality is a major issue because a poor signature
will not only generate a false positive but will kill the session as well!
Resolution
False positives and false negatives are used to determine the resolution of pattern and anomaly
detection solutions. Each detection method has its pros and cons. Misuse detection has a low false-
positive rate, but signature-based approaches are not eff ective against new or unknown viruses.
Pattern matching suff ers from the same issue; the pattern must be known (and attack patterns tend
to change a lot), and if the pattern isnt unique enough it produces a lot of false positives. Stateful
pattern matching can improve this somewhat. Protocol decode analysis has few false positives
if the protocols are well de ned, but the rate can be high for protocols that are loosely defi ned.
Heuristics analysis is remarkably good at detecting malicious activity, but it is very resource-
intensive and can have negative performance impacts under a heavy load.
All the applications and appliances based on these detection technologies will generate alerts
and log events.  e question is one of accuracy and e ectiveness.  e closer the detector is to the
asset it is protecting, the more eff ective it will be. e principle is easy to illustrate; if you put NIDS
on the Internet side of your rewall, you see all the attacks coming at the fi rewall. If you place it on
the inside of your rewall, you see all the attacks that are getting through! Detectors can also be
tuned to the system or systems they are protecting when they are on the host or on the same net-
work segment.  e accuracy issue is related to good-quality signatures and the ability to tune those
signatures to your environment. If you choose to use IPS, this is even more critical. Commonality
is another consideration; you want a system that will use your standard protocols, record formats,
and storage mechanisms. Solutions that have proprietary monitoring consoles add complexity to
the monitoring environment; look for solutions that work well with your overall strategy.
Log-Based Detection
e processing of log or audit trail records is another method of detecting malicious activity.  ere
are two ways to accomplish this.  e rst is periodic review; logs (or video recordings) are reviewed
for activities indicative of malfeasance. A number of log parsing and reporting tools are available
to assist with this process, but from a security perspective periodic review is not a very e ective
control because it detects events after the fact. Most of the malicious activity discovered by this
method comes from the prevalence of repeated entries, something that would have easily been
detected in real time with other technologies. Log-based detection can be improved using an auto-
mated collection and analysis system. Several commercial products do this type of analysis.  eir
accuracy depends on the quality of the information in the log or audit trail; false positives can be
an issue. One of the advantages of these products is collation. Because these systems collect logs
TAF-K11348-10-0301-C009.indd 151TAF-K11348-10-0301-C009.indd 151 8/18/10 3:09:29 PM8/18/10 3:09:29 PM
152Security Strategy: From Requirements to Reality
from multiple devices, they can match events from across the environment and identify activities
that might otherwise go unnoticed. For example, collating physical access logs with logical access
records can identify compromised or shared accounts. If someone isnt in the offi ce but is logged
on to the network locally, either he tailgated through an entrance or his account has been com-
promised; both events constitute unauthorized activity. Automated log analysis can be done in-
house or outsourced as a Managed Security Solution Provider (MSSP). While this is not the best
overall solution, it does provide both near real-time detection and a good stopgap measure until
application- and data-intrusion detection solutions become available. (For additional information
on these technologies see Chapter 11.)
Improving IT event detection involves people, processes, and technology. Intrusion detection
systems, intrusion prevention, and antimalware are examples of commonly used real-time IT
detection technologies. Automated log processing is another alternative that provides near real-
time detection. Process-based periodic log and audit trail review is another option that provides
after-the-fact detection. All these techniques have their advantages and disadvantages.  e closer
the detection is to the protected asset, the more eff ective and accurate it will be. It is best to employ
technologies that have commonality with other security controls to make alert processing, data
transfers, and reporting more e ective. No matter which technologies you decide on, remember
that a well-trained and skilled sta is essential to achieving the best operational results.
Alarming
us far we have concentrated on the fi rst two components of observation: monitoring and detec-
tion.  is section addresses the third component: alarming.
Whether our reconnaissance and sentry is human or electronic, the purpose is the same: to
monitor the scene, note changes, and raise an alarm when malicious or potentially malicious
activity is detected. Alarming is based on the severity of the event. Severity is determined from
a number of diff erent classes that are environment-dependent. For example, events that pose an
imminent (or manifest) danger to safety or security are considered critical events. Events that a ect
a large number of systems or users are also critical events, as are events a ecting high-value assets.
ese events require an immediate response, so alarms are sent directly to response personnel.
In larger organizations, the response agency would typically be the security operations center; in
smaller organizations, alerts may be sent to a text pager, cell phone, or other alerting device. For
critical events it is best to have more than one communications channel for alerts and a positive
acknowledgment system to verify the alert has been received. Critical events call for an immediate
activation of the emergency or incident response function.
e second class of events is important eventsevents that pose an immediate danger to
safety or security. Because these also require an immediate response, they are also sent directly to
response personnel. Important events may require a partial activation of the emergency or incident
response function. e di erence between critical and important is the impact (loss potential)
of the attack—such as an attack against a limited number of systems or lower value assets. An
attack against systems in the DMZ is a good example.  e attack may have the potential of com-
promising or defacing a Web server, but it will not impact the business operations of the internal
network.
Moderate-level events are the third class of alarms.  ese events apply to attacks that are
detected but have a limited potential of success or represent no signi cant impact to safety or
security. Moderate events are forwarded to response personnel but do not require an immediate
response. For example, the connection of an unauthorized system to the network is a violation
TAF-K11348-10-0301-C009.indd 152TAF-K11348-10-0301-C009.indd 152 8/18/10 3:09:29 PM8/18/10 3:09:29 PM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset