While watching TV today two completely different shows on TV made me think of information security issues and our shortcomings when it comes to data. The first was related to national security where a guest on Campbell Brown on CNN was discussing the successes and failures of our national intelligence agencies. The guest stated we were gathering 1.something billion communications (think email and phone calls) per month and that we don’t have the ability to analyze all that information. After getting my fill of the news I switched over to a cable channel playing Fletch, the 1985 comedy starring Chevy Chase as a reporter following a story. In one scene Fletch is performing some research on his subject. He and his assistant are shown using a microfiche machine looking through old news articles. For those too young to understand please see (http://en.wikipedia.org/wiki/Microfiche). He then goes to the hospital to find medical records on his subject and on the desk in the records room, replete with a bumper sticker that says “I heart my computer”, is a lone computer in this room full of shelves of files. He accesses the green screen and pulls the needed information and the story moves on. What made me think of security is that prior to this past decade we suffered, as Fletch does, with a lack of readily searchable and available security information *think logs. Today we suffer just as the intelligence agencies do in that we have more information than we know what to do with. *think poor guy who has to read the logs. We have gone from “I can’t find it because I don’t have the information” to, well, “I can’t find it because there is too much information”.
As a example, SIEM systems today work to some extent. While they all claim to work perfectly with all types of sources the claims often stray somewhere from worthless to somewhat helpful in reality. Again, just like our issues of today and too much information, we often miss attacks or warning signs due to a lack of correlation of the right kinds of information. These systems take in log files and spit back out alerts fired off via email. This made me think of an issue that has long bothered me…why can’t these systems take data and make it actionable through visual representations versus an email? Why can’t we take all of the traffic logs of our egress devices (i.e firewalls, web proxies, etc.) and represent the data in a visual pattern? Maybe as spheres of different sizes placed on a map that represent sources and destinations, or port and protocol combinations. While we’re at it, why can’t we represent ALL security data visually? To highlight the difference between visual and non-visual representation think of a doctor reading an x-ray film. While it may be beneficial for you to hear it described as “your ulna, which is next to the radius, and connects your hand to the upper arm via the humerus, has a hairline fracture approximately 3 inches above the wrist bone” wouldn’t it be better if he showed you the x-ray and pointed to the site and said “right there, your bone is broken”?
One other unexplored area, which is understandable given that we rarely know how to analyze the data we do have, is in access recertification. In case you’re not familiar, recertification is the process of certifying that an account, or individual, needs a certain level of access within an application or system. For example, a clerk may need the ability to cut checks up to a certain dollar amount while anything over that amount requires the next level of “supervisor” access. While we have systems that facilitate this process by providing detail on current access levels and a nice web interface none of these systems use actual log data to help a “certifier” make a decision. Wouldn’t it be interesting if a manager could certify a person’s level of access, but also have the knowledge of what levels of access or systems that individual has used in say the past month or year? It may be easier to understand what levels of access individuals need if we could simply point to the analysis of the logs and say “that user has not logged into this system, although they have access, in the past year”? Then, let’s make that a visual representation…
Just a thought.
Comments