Did You See That! (Observation) ◾ 163
Table 9.5 maps event detection attributes to specifi c baselines. e type (hard or soft) is used to
denote how evidence is collected for each control. Soft indicates a procedure-based control, while
hard denotes a technology-based (i.e., automated) control.
Pattern and Anomaly Detectors
Pattern and anomaly detectors are logic-based applications used in computer environments to
monitor content or activity for the presence of malicious code. e eff ectiveness of pattern and
Table 9.4 Surveillance Control Objectives (continued)
Attribute/Control Type Risk and Requirements
Detection Soft Personnel performing surveillance activities should be
trained to recognize threat situations and take appropriate
actions to reduce damages or loss of human life.
Alerting Soft Personnel performing surveillance activities should be
trained in proper alerting procedures to ensure that
alarms are reported to the proper responder and that
people in immediate danger are properly notifi ed.
Table 9.5 Event Detector Control Objectives
Attribute/Control Type Risk and Requirements
Coverage Soft Event detection should provide, at a minimum, detection of all
facility events related to security, including the opening and
closing of doors, windows, skylights, HVAC vents, etc.;
movement in secured areas, fl ooding, fi re, glass or wall
breakage, and so on to facilitate the detection of unauthorized
or malicious activities.
Detectors
Accuracy Hard
Hard
Event detection devices must correctly report changes in state
to facilitate the detection of unauthorized or malicious activities.
Detection must be reasonable; that is, it must take place in a
reasonable time frame and be within a reasonable range.
Sensitivity Soft Event detection devices should have adjustable thresholds to
reduce false detections resulting from environmental variables.
Controllers
Accurate Hard Event device controllers must correctly interpret detector inputs
and report actual or potentially malicious activity.
Flexible Soft Event device controllers must be able to accept inputs from a
variety of event detectors.
Programmable Soft Event device controllers should be programmable to improve
detection accuracy and reliability.
TAF-K11348-10-0301-C009.indd 163TAF-K11348-10-0301-C009.indd 163 8/18/10 3:09:30 PM8/18/10 3:09:30 PM
164 ◾ Security Strategy: From Requirements to Reality
anomaly detectors is based on their correct or incorrect detection rate (sometimes called resolu-
tion). Resolution is the average of the false-negative and false-positive events for any given number
of events. Resolution for pattern detection depends on the availability and quality of the signatures
used for matching. Resolution for anomaly detection depends on how well the detection profi le is
able to characterize normal versus abnormal behavior.
Table 9.6 maps these attributes to specifi c baselines. e type (hard or soft) is used to denote
how evidence is collected for each control. Soft indicates a procedure-based control, while hard
denotes a technology-based (i.e., automated) control.
ese control objectives form the basis for timely, comprehensive, and accurate observation of
malicious or potentially malicious acts. e control objectives begin with human observation and
proceed to physical and logical detectors. e objectives support rapid response through the use
of reconnaissance and real-time detection and alerting. Detection is improved through the use of
high-resolution devices that facilitate scene interpretation.
e following actions are recommended to further security observation objectives:
1. Review existing reconnaissance activities and results to identify shortcomings in preemptive
notifi cations and information accuracy.
2. Survey existing surveillance practices procedures to identify gaps in coverage, procedures,
and staff knowledge, skills, and abilities (KSA) defi ciencies.
3. Survey the existing surveillance equipment installation to identify gaps in coverage, resolu-
tion issues, recording shortcomings, and so on.
4. Assess the risks associated with existing reconnaissance and surveillance practices.
5. Survey the existing physical detector equipment installation to identify gaps in coverage or
resolution issues.
6. Review existing antimalware, intrusion detection, and intrusion prevention practices and
procedures to identify gaps in coverage, procedures, and KSA defi ciencies. Review accuracy
Table 9.6 Logical Detector Control Objectives
Attribute/Control Type Risk and Requirements
Coverage Soft Logical detection mechanisms should be used to
discover malicious activity or content on systems or
network infrastructure.
Pattern Matching
Accurate Hard Logical detection mechanisms should have the lowest
possible false-positive and false-negative rates.
Timely Hard Logical detection mechanisms must be updated
regularly and in the case of emanated attack updated
immediately.
Tunable Soft Logical detection mechanisms must support the
adjustment of signatures and profi les to provide
better accuracy and more granularity detection.
Commonality Soft Logical detection mechanisms should integrate with
existing alerting, transport, storage, and reporting
solutions.
TAF-K11348-10-0301-C009.indd 164TAF-K11348-10-0301-C009.indd 164 8/18/10 3:09:30 PM8/18/10 3:09:30 PM
Did You See That! (Observation) ◾ 165
rates, including false negatives. Identify the primary assets these systems are designed to
protect.
7. Update existing standards to conform to security strategic objectives for observation, includ-
ing reconnaissance, surveillance, physical, and logical detection requirements.
8. Review and update application development processes (in-house or contracted) to incorpo-
rate observation (intrusion detection) guidance for all development eff orts.
9. Review existing alert management equipment and procedures to identify gaps in
commonality.
10. Review your corporation’s data-retention policies to determine how they may impact your
video recording and alert management schema.
11. Consider outsourcing reconnaissance to a third party.
12. Consider outsourcing log-based detection to an MSSP.
Conclusion
Observation is the cornerstone of security. It is both a deterrent and a detector. It is a deterrent
because people are less likely to do something illicit if they believe someone will see them do it, and
it is a detector when an illicit act is seen. Observation drives our outside and inside facility designs
and campus layout. It guides operations, including the placement of security offi cers and the use
of video surveillance. Observation extends beyond security to encompass fi re, fl ood, earthquake,
and other safety-related functions. Observation comes down to the desktop in the form of antivi-
rus and intrusion prevention software. All security controls are based on the ability to observe an
event, interpret what is happening, and detect malfeasance. Although not all security failures are
directly caused by observation, it is ultimately our lack of observation that allows those failures to
go unnoticed and damages to be done.
Excellence in observation must always be one of our principal strategic objectives. In this
chapter observation was covered from three diff erent perspectives: reconnaissance, sentry, and
command. Reconnaissance is a preemptive tactic that focuses on learning what will be targeted
in the future and what tools (weapons) and maneuvers will be used so that countermeasures can
be put in place and personnel prepared for a potential attack. Reconnaissance is a critical com-
ponent of a good defense. An in-house reconnaissance function is unusual; a number of services
already perform reconnaissance, supplying information to the industry for free or for a modest
subscription fee.
Sentry is an alarm tactic designed to detect imminent or manifest attacks. is chapter exam-
ined the sentry tactic from three diff erent viewpoints: surveillance, physical event detection, and
logical event detection. Surveillance means to continually observe or to watch closely. is chapter
focused on direct or video-assisted human surveillance. e eff ectiveness of human surveillance
is based on three factors: fi eld of view, resolution, and training. Of the three, having observant
people is the most important; the goal should be a culture of observant people.
Event detectors and controllers can be used to identify unauthorized or malicious activi-
ties. e eff ectiveness and accuracy of these devices are high because they are based on physical
events such as the opening or closing of a door. Detectors can be deployed to monitor just about
any physical state, including safety-related items such as fi re, smoke, and fl ooding. Detectors
often combine multiple mechanisms into a single device to increase accuracy. For coverage pur-
poses, detectors are often redundant or overlapping. Physical detectors are frequently integrated
with surveillance systems to switch the monitor focus to high-security events. e eff ectiveness
TAF-K11348-10-0301-C009.indd 165TAF-K11348-10-0301-C009.indd 165 8/18/10 3:09:30 PM8/18/10 3:09:30 PM
166 ◾ Security Strategy: From Requirements to Reality
of detectors is largely related to the controller to which they are attached. e controller must
be able to properly interpret the detector signals and take the proper action. Written opera-
tional guides and procedures for responding to events is key to timely and eff ective response;
people dealing with events must take the right actions and escalate alarms when necessary.
Just like surveillance, a trained observant staff capable of correctly interpreting detector events
is essential.
Logical event detectors come in two forms: malicious pattern detection and abnormal behav-
ior detection. Pattern detection compares activity or content against a set of predefi ned signatures.
A signature match indicates malfeasance. ere are four diff erent types of signature matching:
misuse, pattern, protocol, and heuristics. With the exception of heuristics, pattern matching is
only eff ective at identifying known malicious code. Heuristics can detect some types of unknown
attacks if they have similar characteristics to other malware. e accuracy of pattern matching
depends on the quality of the signatures that are produced. Poor signatures can result in false
positives, which can be problematic when they halt legitimate work eff orts. Pattern matching is
commonly used in antivirus/malware solutions and network- or host-based intrusion detection
systems (NIDS, HIDS).
Anomaly detectors are often referred to as profi le detectors because they use a statistical profi le
of normal system activity to detect behavior that is abnormal. e initial profi le is usually created
during a learning period and is tuned over a period of time to resolve false positives. Anomaly
detectors look for inordinate protocol, service, application, and statistical behaviors. Anomalies
may be combined to detect additional conditions. e eff ectiveness of this tactic is based on how
well the profi le is able to characterize what is a “normal” system operation and what is not. One
advantage of this approach is the ability to monitor applications. e downside is a high rate of
false positives and the maintenance that goes with it. Anomaly matching is commonly used in
network- and host-based intrusion detection systems (NIDS, HIDS).
Host and network intrusion prevention systems (IPSs) extend intrusion detection to include
proactive methods that stop malicious activity or content before it can do any damage. A key ben-
efi t of IPSs is their ability to stop unknown attacks, but to accomplish this objective the IPS agent
must be tightly integrated with the operating system kernel making it more susceptible to failure
from OS patches and upgrades. In order for Network IPS to block malicious actions, all traffi c
has to pass through the device. e advantage of this confi guration over IDS is that the malicious
traffi c never gets delivered to the target; the downside is that the NIPS becomes a potential choke
point and a single point of failure. Intrusion Prevention Systems use signature-based detection, so
eff ectiveness is based on the quality of the signatures provided. False positives and false negatives
are used to determine the eff ectiveness of pattern and anomaly detection solutions. Each match-
ing method has its good and bad points. Statistically, heuristics analysis is the best, but it can be
very resource intensive. e closer these technologies are located to the asset they are protecting,
the more eff ective they are. Commonality is another issue to consider; solutions based on pro-
prietary monitoring and management consoles add complexity to the monitoring and response
process; fi nding products that work with your existing management environment is the better
overall strategy.
e processing of log or audit trail records is another method of detecting malicious activ-
ity. When done in real time using an automated collection and analysis system, it does improve
detection of malicious activity. e accuracy depends on the quality of the information in the
log or audit trail; false positives can be an issue. One advantage is collation; logs from multiple
devices are collected so that events can be matched from across the environment. is can result in
activities being identifi ed that might otherwise have gone unnoticed. Automated log analysis is the
TAF-K11348-10-0301-C009.indd 166TAF-K11348-10-0301-C009.indd 166 8/18/10 3:09:30 PM8/18/10 3:09:30 PM
Did You See That! (Observation) ◾ 167
current focus of the industry; there are many good products for use in-house, and many MSSPs
off er this service as well.
Excellence in observation is a fi rst principle in security tactics. Observation involves people,
processes, and technology. Good processes and well-integrated technologies can fi ll many of the
gaps in your observation strategy, but nothing will improve it more than a well-trained and skilled
staff and a culture that fosters observant employees.
TAF-K11348-10-0301-C009.indd 167TAF-K11348-10-0301-C009.indd 167 8/18/10 3:09:30 PM8/18/10 3:09:30 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.