Monday, July 02, 2007

Asset-Centric vs Threat-Centric Digital Situational Awareness

As an Air Force officer I was taught cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 importance of situational awareness (SA). The surprisingly good (at least for now) Wikipedia entry describes SA as "knowing what is going on so you can figure out what to do" (Adam, 1993) and knowing "what you need to know not to be surprised" (Jeannot et al., 2003). Wikipedia also mentions fighter pilots who leveraged SA to win dogfights. When applied to information security, I like to use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term digital situational awareness (DSA).

In 2005 invented cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term pervasive network awareness (PNA) for my book Extrusion Detection to describe one way to achieve a certain degree of SA:

Pervasive network awareness is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to collect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network-based information -- from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 viewpoint of any node on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network -- required to make decisions.

PNA is inherently an asset-centric means to improve SA. PNA involves watching assets for indications of violations of confidentiality, integrity, and/or availability (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CIA triad). An asset-centric approach is not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only means to detect incidents, however.

During cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past few years several firms have offered services that report indications of security incidents using threat-centric means. These services are not traditional managed security service providers (MSSPs) because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are not watching assets, per se, under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 control or operation of a client. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se firms are not placing sensors on company networks and watching for breaches involving monitored systems.

Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se next-generation firms seek and investigate infrastructure used by threats to perpetrate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir crimes. For example, a threat-centric security firm will identify and analyze cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command-and-control mechanisms used by malware or crimeware. The reporting mechanism will be mined for indications of hosts currently under unauthorized control. An example of this is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ongoing Mpack activity I mentioned in Web-Centric Short-Term Incident Containment.

These services improve digital situation awareness by taking a threat-centric approach. The ultimate threat-centric approach would be to monitor activities of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threats cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves, by instrumenting and observing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir workplace, communications lines, and/or equipment. Since that is out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reach of everyone except law enforcement (and usually beyond cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir reach unless cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are extraordinarily lucky and persistent), watching command-and-control channels is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next best bet.

Asset-centric and threat-centric DSA are not mutually exclusive. In fact, threat-centric DSA is a powerful complement to asset-centric DSA. If a company subscribes to a threat-centric DSA service, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 service may report that a company system has been compromised and is leaking sensitive data. If confirmed to be true, and if not detected by asset-centric means, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event shows cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

  • Preventative measures failed (since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 asset was compromised).

  • Asset-centric monitoring failed (since it was not detected).

  • Incident response must be initiated (since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 compromised asset is not just vulnerable, but actually under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 control of an unauthorized party).


With this new understanding, prevention and detection measures can hopefully be improved to reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chances of future incidents.

Please do not ask me for recommendations on any of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se services; I am not trying to promote anyone. However, I have mentioned two such services before, namely Support Intelligence in Month of Owned Corporations and Secure Science in my review of Phishing Exposed.

3 comments:

Unknown said...
This comment has been removed by a blog administrator.
Unknown said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.