Michael Collins - Network Security Through Data Analysis: From Data to Action

by Michael Collins

Copyright 2017 Michael Collins. All rights reserved.

Printed in the United States of America.

Published by OReilly Media, Inc. , 1005 Gravenstein Highway North, Sebastopol, CA 9547.

OReilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com/safari). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com .

• Editors: Courtney Allen and Virginia Wilson
• Production Editor: Nicholas Adams
• Copyeditor: Rachel Head
• Proofreader: Kim Cofer
• Indexer: WordCo Indexing Services, Inc.
• Interior Designer: David Futato
• Cover Designer: Karen Montgomery
• Illustrator: Rebecca Demarest

• February 2014: First Edition
• September 2017: Second Edition

See http://oreilly.com/catalog/errata.csp?isbn=9781491962848 for release details.

The OReilly logo is a registered trademark of OReilly Media, Inc. Network Security Through Data Analysis, the cover image, and related trade dress are trademarks of OReilly Media, Inc.

While the publisher and the author have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the author disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.

978-1-491-96284-8

[LSI]

This book is about networks: monitoring them, studying them, and usingthe results of those studies to improve them. Improve in thiscontext hopefully means to make more secure, but I dont believe wehave the vocabulary or knowledge to say that confidently at least notyet. In order to implement security, we must know what decisions wecan make to do so, which ones are most effective to apply, and theimpact that those decisions will have on our users. Underpinningthese decisions is a need for situational awareness.

Situational awareness, a term largely used in military circles, isexactly what it says on the tin: an understanding of the environmentyoure operating in. For our purposes, situational awarenessencompasses understanding the components that make up your network andhow those components are used. This awareness is often radicallydifferent from how the network is configured and how the network wasoriginally designed.

To understand the importance of situational awareness in informationsecurity, I want you to think about your home, and I want you to countthe number of web servers in your house. Did you include your wirelessrouter? Your cable modem? Your printer? Did you consider the webinterface to CUPS? How about your television set?

To many IT managers, several of the devices just listed wont have registered as web servers. However, most modern embedded devices havedropped specialized control protocols in favor of a web interface to an outside observer, theyre just web servers, with known web servervulnerabilities. Attackers will often hit embedded systems withoutrealizing what they are the SCADA system is a Windows server with acouple of funny additional directories, and the MRI machine is aperfectly serviceable spambot.

This was all an issue when I wrote the first edition of the book; atthe time, we discussed the risks of unpatched smart televisions andvulnerabilities in teleconferencing systems. Since that time, theInternet of Things (IoT) has become even more of a thing, with millions ofremotely accessible embedded devices using simple (and insecure) webinterfaces.

This book is about collecting data and looking at networks in order tounderstand how the network is used. The focus is on analysis, whichis the process of taking security data and using it to make actionabledecisions. I emphasize the word actionable here becauseeffectively, security decisions are restrictions on behavior.Security policy involves telling people what they shouldnt do (or,more onerously, telling people what they must do). Dont use apublic file sharing service to hold company data, dont use 123456as the password, and dont copy the entire project server and sell itto the competition. When we make security decisions, we interferewith how people work, and wed better have good, solid reasons fordoing so.

All security systems ultimately depend on users recognizing andaccepting the tradeoffs inconvenience in exchange for safety butthere are limits to both. Security rests on people: it rests on theindividual users of a system obeying the rules, and it rests onanalysts and monitors identifying when rules are broken. Security isonly marginally a technical problem information security involvesendlessly creative people figuring out new ways to abuse technology,and against this constantly changing threat profile, you needcooperation from both your defenders and your users. Bad securitypolicy will result in users increasingly evading detection in order toget their jobs done or just to blow off steam, and that addsadditional work for your defenders.

The emphasis on actionability and the goal of achieving security iswhat differentiates this book from a more general text on datascience. The section on analysis proper covers statisticaland data analysis techniques borrowed from multiple other disciplines,but the overall focus is on understanding the structure of a networkand the decisions that can be made to protect it. To that end, I have abridged the theory as much as possible, and have also focused onmechanisms for identifying abusive behavior. Security analysis hasthe unique problem that the targets of observation are not only awaretheyre being watched, but are actively interested in stopping it if atall possible.