"Outlier Detection"September 20, 2012 By Larry Karisny
The Digital Communities article "Have Hackers Won?" -- with Columbia Computer Science Professor and Federal Trade Commission Chief Technologist Steven Bellovin -- gave a clear explanation of security limitations because of the size and complexity of buggy software code, and limitations in authentication and encryption. "Authentication won’t do it," Bellovin explained in the article. "In most breaches, the bad guys go around the strong authentication, not through it." He went on to say that as part of a national study, he analyzed every CERT advisory issued up to 1998 and found that 85 percent of them were code problems, configuration errors, etc., that encryption couldn’t fix.
While this may be a difficult problem to address, it is not impossible. It does, however, require a new way of looking at what real security is and how to effectively secure business process information.
Understanding True Security
Currently, data collection, buggy code, network encryption and authentication are all viewed and audited at the system output level. Real-time system data and unwanted business events could be detected too late in this type of security system. Security then must be viewed, audited and authorized at the event enterprise input level to achieve higher security levels required for critical infrastructure.
Our current security systems are collecting so many security no's at the output level that intrusion prevention and detection systems are reaching the point of overload. To date there have been over 17.7 million viruses detected. Add bandwidth eating high-end encryption to the mix and things are eventually going to start slowing down. So how do we handle all these security no's? The answer to this problem is simply say yes.
It's almost impossible to manually watch, detect, audit and correct all these business activities in the complexity of today’s business processes. Even when doing this through coordinated government compliance like NERC CIP in securing the power grid, the minute we think we are done and walk away something changes. These compliance processes cost a lot of money, take a lot of time and can’t guarantee security anyway.
So what if we could create an anomaly algorithm that could audit, detect and approve positive input events in business processes. And if we could do this then wouldn’t risk management and security actually just be a byproduct of allowing these positive business events to occur?
"Anomaly detection," says Wikipedia, is also called "outlier detection" and refers to detecting patterns in a given data set that do not conform to established normal behavior. The patterns thus detected are called anomalies and often translate to critical and actionable information in several application domains.
In the workplace predetermined activities of employees, information systems and combined human and information system events produce specific desired business process results. Anomalies are tools that can specifically detect and audit the defined patterns of these combined human and system activities. A change in the normal pattern of these activities can offer a business manager very specific information that can assist in improving the business process or even detecting a major business or system breach.
This may seem like security fantasyland or something that is still on the drawing board but it’s not. The problem is not that it is not available or it doesn’t work. It is available.
Like most paradigm shifts it takes awhile for people to get it and human nature sometimes confuses threats with benefits. We need to start leveraging tools that can view, audit and improve business processes and improve security at the same time.