Recently I was taking my four year old son to the movies. As we loaded into the car he asked, "Dad how long is it before we get there?"
I replied that it would take, "About 15 minutes".
He said, "Dad, is that a long time?"
I thought about it and told him, "It depends on your perspective".
He paused for a while and replied in a commanding tone, "Dad, I would like your perspective to be two minutes".
This perfectly sums up how my month has been. Too much to do and too little time allocated to do it.
Ironically, at work I'm spending most of my time on a feature designed to save time for Security Analysts. I can't really say what it is at the moment, but it builds on some well established techniques for maximizing the precious hours analysts can spend with security products on a day-to-day basis.
I thought I would take a look back at some of the features security products have added to make the analysts job more effective.
Correlation, Categorization and Ranking
Recently Mike Rothman wrote a post on his blog about the role of correlation in assisting analysts engulfed with data. Not only can correlation help identify patterns indicative of malicious activity, but it can track and find the low-and-slow attacks that are increasingly difficult to detect by looking at raw events or high-level trends.
He states, "We need to be more efficient, without sacrificing effectiveness. The
only way I know to do this is to automate as much as possible and
that’s where correlation comes in. If we can have a machine looking at
all the data, matching patterns and highlighting potential issues, we
can focus our (human) efforts on only the attacks that represent the
biggest chance of compromise."
In a world where security events can be measured in terabytes, correlation is a vital feature.
Many security products and most SI/EM's also perform some form of categorization and ranking. The categorization helps to properly identify the types of activity being monitored, while the ranking can take into account elements like the value of the target asset, the severity of the attack and the state of a given vulnerability (patched/unpatched) in order to bring to attention the events that pose the highest risk.
Combined, these features improve the ability to inspect relevant events and find the events worthy of detailed investigation.
Metrics
While it's important to see malicious activity, it's also important to see the overall health of the systems being protected and how the security products are functioning. Metrics are a key way to see the 'big picture' and track the progress over time. After all you can't manage what you can't measure.
Though not from the security space, the words from Charlie Munger’s book ‘Poor Charlie's Almanac’
sum up need for metrics, “You’ve got a complex system and it spews
out a lot of wonderful numbers that enable you to measure some factors
... practically everybody (1) overweighs the stuff that can be
numbered, because it yields to the statistical techniques they’re
taught in academia, and (2) doesn’t mix in the hard-to-measure stuff
that may be more important.”
According
to Andrew Jaquith in the book “Security Metrics: Replacing Fear,
Uncertainty and Doubt” too many systems use time as the denominator for a counter. It's much more valuable for something like a Firewall to use the amount of good traffic as the denominator thereby putting the amount of dropped traffic in context.
Security products that implement good metrics also help analysts spend less time justifying the cost of the security program to management. Amrit Williams once said, “How
much the company funds security efforts is directly proportional to
your ability/inability to provide adequate security metrics and prover
ROI”. If quality metrics are baked into the products, this justification process can be as simple as running a report, otherwise the analysts spend a few days mired in Excel-land each quarter.
Dashboards and Visualizations
The dashboard has become far more than a marketing tool. In most products today it's the first stop for an analyst performing their daily duties. Dashboards have evolved to show the key metrics and counters, and highlight the high-priority items of investigation.
The quality of the visualizations used in dashboards is critical. I'm a big fan of Edward Tufte
who tirelessly crusades against improper visualization. He introduces
time-saving concepts such as the sparkline which Stephen Few went on to
use in his dashboard examples for "Information Dashboard Design". I have seen an increase in effective dashboards lately. Not only does this help with data clarity, but it saves precious time.
Dashboards also have another critical time-saving trick up their sleeves, the almighty drill down. The ability to drill into the events for a closer inspection saves time configuring otherwise complicated search criteria.
Visualizations also figure heavily into other parts of the system from reports to graphical depictions in the event viewers. The science of security visualizations has come a long way with publications like
Raffael Marty's "
Applied Security Visualization" and the website
SecViz.org. Designed correctly visualizations can maximize time by providing visibility into anomalies or trends.
As an architect of an information security management product I realize the importance of maximizing the time analysts have available. Sometimes this involves finding the critical pieces of information, other times it's displaying the information in an effective way. It's also important that the products don't mislead analysts, wasting time on investigations that don't pan out.
Security products have come a long way towards respecting the resources dedicated to evaluating their outputs, but it isn't time to rest just yet. There are still ways to save more time. As my son taught me, all we need is a little (forced) perspective change.
