Security is a Holistic Proposition

Gorka Sadowski

Subscribe to Gorka Sadowski: eMailAlertsEmail Alerts
Get Gorka Sadowski: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: SOA & WOA Magazine, Java Developer Magazine

Blog Post

Why Rule-Based Log Correlation Is Almost a Good Idea... (Part 6 - APTs)

Why APT attackers love static rule based correlation

APTs, Advanced Persistent Threats, are the anti-script-kiddies approach to penetrating an environment. Can static rule-based correlation catch these?

APT Attackers Love Correlation Environments
You remember that "False Sense of Security," the feeling that you are secure, but in fact you're not...?

Attackers know that an attack is a process, it is not an event. And they use this - and they use time - to their advantage. They use time scales that static rule-based correlation simply cannot cope with.

If you want to correlate disparate events, you need to keep state information on these events, and of course the longer you need to keep the state, the more expensive it becomes, expensive in RAM, CPU, storage etc etc., to the point where it is not affordable anymore.

Did you know that many/most static rule-based correlation engines cannot keep state for more than a few minutes? This means for example that many correlation engines will not even be able to address the Scenario 1 - Identity Theft - discussed above.

A 3-6 months time window is not uncommon for the APT process to take place, between the early recon to getting the data out of your environment. If you dreamt of being able to use static rules to correlate the early warnings of a recon, with the actual attack using a zero-day or a privilege escalation, with the data leak as it happens, think again. Just take the calculations from the previous installment of this series of blog, and grow the time window to a couple of months. You are now needing to perform 100's or 1 000's of billion checks per second, yes you read right it's staggering.

APT attackers will wait for you to have to recycle your state information before doing the next steps, and will work with your correlation timing to go under the covers. They love it, they know that if you have a correlation engine, you are likely trusting it, and because often "No news is good news", you will not know about this attack in progress.

You put all your eggs in static rule based correlation, do not properly manage 100% of your logs and hence have little forensics capabilities? Recipe for disaster, think that you're safe, get hit, not realize it, and not be capable of easily knowing what happened...

Next installment, we'll conclude on static rule-based correlation with a glimmer of hope and offer pragmatic steps you can take to improve this technology.

More Stories By Gorka Sadowski

Gorka is a natural born entrepreneur with a deep understanding of Technology, IT Security and how these create value in the Marketplace. He is today offering innovative European startups the opportunity to benefit from the Silicon Valley ecosystem accelerators. Gorka spent the last 20 years initiating, building and growing businesses that provide technology solutions to the Industry. From General Manager Spain, Italy and Portugal for LogLogic, defining Next Generation Log Management and Security Forensics, to Director Unisys France, bringing Cloud Security service offerings to the market, from Director of Emerging Technologies at NetScreen, defining Next Generation Firewall, to Director of Performance Engineering at INS, removing WAN and Internet bottlenecks, Gorka has always been involved in innovative Technology and IT Security solutions, creating successful Business Units within established Groups and helping launch breakthrough startups such as KOLA Kids OnLine America, a social network for safe computing for children, SourceFire, a leading network security solution provider, or Ibixis, a boutique European business accelerator.