Communications - December 2010

drive and form a new business. The attacker waited until a contractor’s previous engagement was coming up for renewal and then remarketed to the contractor under the new business banner.

In this attack, the techniques were very simple. To protect your business, you need to keep a close view of the people in the organization, their motivation and interests, make sure they are satisfied in what they do, and minimize the risk of them doing something criminal and damaging. The focus needs to move from being almost completely technological to a balance of social and technical.

BoRG: A common delusion among high-tech companies is that their information has a limited shelf life because they are generating so much new information all the time. This leads to the conclusion that it doesn’t matter if people steal information because it’s almost immediately obsolete. From an economic standpoint this is just wrong.

noRTon: Let’s presume that we can never keep these people out. How do we deal with that?

CLaRK: This whole issue of information theft really isn’t very new. These issues have been in play for hundreds of years. In our time, some things have changed, most notably pace and data volume stolen. The time necessary to undertake a successful attack has been reduced, and the volume of data that can be taken has dramatically increased.

CREEGER: Can we learn from other fields and experiences? On a previous security panel people talked about addressing the risk of malware infection along the same lines as public health. They said that malware attacks are like the flu. You are never going eradicate it and must live with some ongoing percentage of infections. It will be a different flu every year, and you can minimize your infection risk by implementing certain hygiene protocols.

CLaRK: Many people design systems on the assumption they will always work perfectly. Often, auditing features are minimal, sometimes added as a later feature. We need to architect systems on the assumption that breaches will occur, so the functions needed for a proper response are read-

SCo T T BoRG
There are five steps
to follow to carry
out a successful
cyber attack:
find the target;
penetrate it; co-opt
it; conceal what
you have done long
enough for it to
have an effect; and
do something that
can’t be reversed.

ily available when it happens.

BianCo: You should assume all preventative controls will fail. While you still need prevention, you should put your new efforts into detection and response—both in mechanisms and personnel. When prevention fails, if you can’t detect failure, you have a very large problem.

CLaRK: In individual applications,
we can quickly focus on technical
detection without looking at read-
ily available metadata—that includes
other systems—that would dramati-
cally improve detection. For example:
“Did person A log onto a network? If
yes, where was person A when he or
she logged on? Does that match what
the physical-access-control log re-
ports?”
There is a very real danger that
many vendors will provide a good but
narrow view of your network and miss
the larger context that states, for ex-
ample, that a user was not supposed
to be able to log in from an undeter-
mined physical location.

At Detica we have found real value in mining substantial levels of contextual data that corroborate not just what’s happening in the network but what was happening with the individuals that access the network at that point in time. People should not be lulled into a sense of false security because they have purchased a specific niche security product.

CREEGER: Are you saying that we have to start building a huge metadata infrastructure to determine if one event is consistent within a greater context? Who is going to write all these consistency rules that will flag events out of sync with expectations? Who is going to run all these services and on what platforms? How do we architect cost-effective solutions that expend additional cycles to monitor, audit, and determine to the second, third, fourth level whether the person’s actually doing what’s expected?

BoRG: What you are describing as a problem is a huge opportunity. There are five steps you have to follow to carry out a successful cyber attack: find the target; penetrate it; co-opt it; conceal what you have done long enough for it to have an effect; and do something that can’t be reversed. Each of these is an opportunity to stop an attacker.