Collins - Network security through data analysis: from data to action

This book is about networks: monitoring them, studying them, andusing the results of those studies to improve them. Improve in thiscontext hopefully means to make more secure, but I dont believe we have thevocabulary or knowledge to say that confidentlyat least not yet. Inorder to implement security, we try to achievesomething more quantifiable and describable: situational awareness .

Situational awareness, a term largely used in military circles, isexactly what it says on the tin: an understanding of the environmentyoure operating in. For our purposes, situational awarenessencompasses understanding the components that make up your network and howthose components are used. This awareness is often radically different from how the network is configured and how the network wasoriginally designed.

To understand the importance of situational awareness in informationsecurity, I want you to think about your home, and I want you to countthe number of web servers in your house. Did you include your wirelessrouter? Your cable modem? Your printer? Did you consider the webinterface to CUPS? How about your television set?

To many IT managers, several of the devices listed didnt evenregister as web servers. However, embedded web servers speak HTTP,they have known vulnerabilities, and they are increasingly common asspecialized control protocols are replaced with a web interface.Attackers will often hit embedded systems without realizing what theyarethe SCADA system is a Windows server with a couple of funnyadditional directories, and the MRI machine is a perfectly serviceablespambot.

This book is about collecting data and looking at networks in order tounderstand how the network is used. The focus is on analysis, which is theprocess of taking security data and using it to make actionable decisions. I emphasize the word actionable here because effectively, securitydecisions are restrictions on behavior. Security policyinvolves telling people what they shouldnt do (or, more onerously,telling people what they must do). Dont use Dropbox to hold companydata, log on using a password and an RSA dongle, and dont copy the entireproject server and sell it to the competition. When we make securitydecisions, we interfere with how people work, and wed better have good, solid reasons for doing so.

All security systems ultimately depend on users recognizing theimportance of security and accepting it as a necessary evil. Security rests on people: it rests on the individual users of asystem obeying the rules, and it rests on analysts and monitorsidentifying when rules are broken. Security is only marginally atechnical probleminformation security involves endlessly creativepeople figuring out new ways to abuse technology, and against thisconstantly changing threat profile, you need cooperation from bothyour defenders and your users. Bad security policy will result inusers increasingly evading detection in order to get their jobs done orjust to blow off steam, and that adds additional work for yourdefenders.

The emphasis on actionability and the goal of achieving security iswhat differentiates this book from a more general text on datascience. The section on analysis proper covers statisticaland data analysis techniques borrowed from multiple other disciplines,but the overall focus is on understanding the structure of a networkand the decisions that can be made to protect it. To that end, I have abridged the theory as much as possible, and have also focused onmechanisms for identifying abusive behavior. Security analysis hasthe unique problem that the targets of observation are not only awaretheyre being watched, but are actively interested in stopping it if atall possible.