Sometimes the big picture deceives us.
Last night as I was drifting off to sleep I was interrupted by the sound of the doorbell. In my haze I assumed it was some kids pulling a prank and tried to go back to sleep, but still the ringing persisted. Finally I was forced to investigate, so I went downstairs to the door where I found one scary looking dude on my doorstep.
"Your car rolled into the street", he said.
"My car is inside the garage", I replied (hoping that it was indeed true).
"Is you car a Civic?", he asked. To which I responded, "No", and just like that the Midnight Ringer was off.
Puzzled, I went back upstairs and looked out the window. Sure enough there was a Honda Civic in the middle of the road looking indeed like it had just rolled out of my driveway.
I dismissed it and went back to bed. A little while later I was awoken again by the doorbell. This time I went downstairs and opened the door, immediately stating, "The car is not mine". That took care of the second visitor quickly, but I realized that if my family and I were going to get any sleep I was going to need some help. So I taped a sign to the door, "THE CAR IS NOT OURS!!!"
A little later on I was awoken yet again, this time by flashing lights. The city police were investigating the oddly parked Civic. Like any rational person with access to the DMV's database, the officer started with a lookup of the plate number. The problem was, the car did not belong to someone in the neighborhood, so there was no easy win. Then the officer, like the others looked at the car's positioning and concluded that it had to have come from my driveway, so to my door he came. Seeing my posted message he then had little alternative but to begin the slow process of waking my surrounding neighbors in search of the culprit.
This rather annoying incident reminds me of the traditional approach to incident response. We take a look at the SI/EM alerts and start digging on the most likely source and target of the event. We look at the big picture, make a hypothesis and when that doesn't pan out, move on to the next theory. It's all part of the investigative process.
We are missing something here. Sometimes the big picture isn't the key metric that we need. Sometimes the devil is in one little detail.
Had the officer started with the positioning of the wheels, he would have seen that the angle on them would have left the car quite crookedly parked in my driveway, but was a perfect fit for the curb up the street. Instead he spent an hour working through the investigative process because he was mislead by the big picture (the position of the car).
When we have an incident in Information Security, looking at the big picture in metrics and correlated events can sometimes obscure the nugget of information that could save us hours or days of investigation. With the right information, you can jump to the correct answer without a full investigation. A quick scan of the raw logs can often highlight that one piece of the puzzle which explains how the rest of the event unfolded, in a much better way than a high level summary. The human eye is really adept at this type of scan, however volume is the enemy. Perhaps in the future Information Security Software will be able to assist us. The management systems need to get analysts and investigators beyond the dashboard and highlight the key parts of the trace events that can unlock the mystery.
The fact that even my sleep-deprived mind can take a random event like this and relate it to information security is a little disturbing. Now you'll have to excuse me while I take a nap...
