The Art of Digital WarThe objective of this section is to identify the issues around a digital intrusion. Thefollowing dia...
(Windows Meta File) Vulnerability – Microsoft Security Advisory (912840) whether it’s anintentional backdoor or not.      ...
Classification of an Intruder is critical in understanding the Threat the intruder posses. Agood Security Threat Model nee...
The first generation of security management tools processed data from security deviceslike firewalls, intrusion detection ...
of Atom11 are electron, proton and neutron. As the science progressed we realized thatprotons and neutrons were made up of...
Upcoming SlideShare
Loading in …5

Key elements of security threat


Published on

This document describes the evolution of Security Monitoring Solutions and the next stage in the SIEM evolution

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Key elements of security threat

  1. 1. The Art of Digital WarThe objective of this section is to identify the issues around a digital intrusion. Thefollowing diagram shows the picture of a digital intrusion time line (by an internal orexternal Intruder or an automated Intruder – virus / worm / bots etc) along with theVulnerability time line and security monitoring tools with current features and futurebuilding blocks. The focus is on the fundamental problems, and it will not go intoanalyzing different digital attack patterns or any vulnerability analysis.Latest CERT reports a total of 59901 vulnerabilities for the year 2005 an increase of58.5% from the year 2004 and a 3402% increase from the year 1995. Usuallyvulnerability in an application is due to un-identified bug in the code. However there aretimes when backdoors written explicitly in some application to get into a users machine.An intentional backdoor into any system is more dangerous than an accidental bug dueto an oversight or bad coding practices. Huge debate gone over the recent WMF21 2005 Vulnerability List WMF Vulnerability – MS Advisory 912840 - Security Focus - Zero-day WMF flaw underscores patch problems by Robert Lemos – January 12, 2006
  2. 2. (Windows Meta File) Vulnerability – Microsoft Security Advisory (912840) whether it’s anintentional backdoor or not. “Speeding up the patch process is never going to solve the problem; it is never going tobe fast enough. We need to be investing very heavily in zero-day defenses, because anotherzero-day will happen. There is a lot of talk about whether (the software vendor has) gotten thepatch out in time, but the real conversation should be about risk removal, not risk mitigation.” Richard Ford, associate professor of computer science, Florida Institute of Technology“Application vulnerabilities propagate so rapidly today that the old methods of dealing with themno longer suffice. New standards like AVDL offer one of the best hopes of breaking this cycle bydramatically reducing the time between the discovery of a new vulnerability and the effectiveresponse at enterprise sites” John Pescatore - Vice President of Security Research, GartnerSecurity Threat ModelingSecurity Threat Modeling is an essential process to protect the Assets (or applications).It helps the organizations to determine the correct controls and produce effective countermeasures within the budget. Effective management and understanding of thevulnerabilities is required to efficiently defend attacks against those (vulnerabilities). Asthe number vulnerabilities increases year by year the customer needs a mechanism toidentify the most critical vulnerabilities in his enterprise.The Core of Digital SecurityThe three key things in digital security for the enterprise are identifying and classifyingthe Intruder and their attacks on the Assets and the Damage it can cause on theenterprise or the potential damage on the similar attacks in the future. Regulatorycompliance and other government regulations revolve around the core or rathermonitoring the health of the core.The above image shows the Intruder attack sophistication and the incident time linewhich starts when the intruder finds the vulnerability in the enterprise and the actualbreak-in and the damage he causes by information leakage, denial of service on criticalsystems, and attack on other systems etc.The Defense sections shows the 3 phases which is as follows; the Monitoring phase,Attack discovery on the assets and the Containment and the Remediation process. Thekey will be how efficiently we can correlate and provide relevant information back to theend user at the right time so that he/she (the analyst) can stop the attack (while inprogress) before it wrecks havoc in the enterprise.The three core areas (Intruder, Assets and Damage) will remain same today (2006) oreven after 15 or 20 or 2000 years. What matters is how good we are at identifying thesethree key elements and build a robust Security Threat Model around it.Intruders and their Attacks
  3. 3. Classification of an Intruder is critical in understanding the Threat the intruder posses. Agood Security Threat Model needs to understand the strengths, weakness and theattack methodologies of any Intruder. The Intruders are classified into 3 – Internal,External and Automated (Robotic) Intruder. Classification of Intruders helps us toprioritize the incidents and focus on the relevant incident.AssetsSecurity revolves around protecting the Assets (Behind every Asset there will be someapplications). Asset oriented Security Monitoring will be the key in this evolution.Application infrastructure of the future will be heavily distributed in nature with SOA(Service Oriented Architecture). Protecting the business services will be the mostimportant aspect in the service oriented world.Asset Oriented Security Monitoring will eventually move towards applications and in thefuture will lead to protecting the collection of web services3 which the applicationspublished. Security will go down to the fabric of the distributed applications. According toForrester the ERP4 Market will be $24 Billion by the end of 2008. SAP5 the leading ERPApplication provider will be moving to Service Oriented architecture by the end of 2008.Classification of assets is important to protect the assets efficiently. Asset value will notyield this classification. For example an asset which contains blog and user forum datawill be classified differently compared to assets with financial transaction databases.There will be assets which require protection while data at rest6 as well as protection ofdata on the wire.Damage caused by Incidents and its impactThe above chart and depicts the damage impact if a break in happens. Today the usersdo the impact manually and lot of different software applications will be used in thecomplete process. Streamlining this business process and using this data to furtherimprove process will help in quick remediation and containment.Tracking the cost of Incidents, resources required for containment and remediation, andthe time spent will help in predicting the actual cost involved if the similar attackshappens in the future. This information can be used in the Security Threat Model tonarrow down the attacks and vulnerabilities where the potential damage will very high.Digital Security - Building Blocks3 Forrester – Large Enterprises Pursue Strategic SOA by Randy Heffner - April 5, 2005,7211,36580,00.html4 ERP Apps – Technology and Industry Battle heats up by Paul Hamerman, R Wang – June 9, 2005 Site:,7211,37058,00.html5 SAPs Big Bet To Revolutionize App by Erin Kinikin – August 3, 2004,7211,34739,00.html6 Forrester Wave – Data Encryption Solutions Q3, 2005,7211,36486,00.html Application Security – Encryption of Data at Rest - DMReview – Information Management: Encryption at Rest
  4. 4. The first generation of security management tools processed data from security deviceslike firewalls, intrusion detection systems, vulnerability scanners apart from networkdevices like routers and switches. Correlation technologies correlated the events acrossthe systems. However, these systems focused more on handling the events. This modelis an extension of log management systems which started of the Digital SecurityManagement space.The second generation Security Management tools focuses more on entities like Assetsand its relevance, Network and its importance, Attacker (with classification) and threatlevels, Vulnerability Severity relevant to the network. This model deviates from the firstgeneration event based management as the focus is on the entity rather than the events.Entity model in the second generation simplifies the process of building a SecurityThreat Model compared to first generation event model based Risk or Threat Scores.The CSO7 / CISO are focused more on protecting their assets instead of worrying abouthow many events passed through the network.The third generation of Security Management will move closer to where the real action inthe enterprise digital world – ‘The Applications’. As per the Forrester and Gartner8 mostof the enterprise applications will move towards SOA9 (Service Oriented Architecture) bythe end of 2008-2009. Cisco already announced the Cisco AON (Application OrientedNetwork) Architecture where the focus is on routing the application specific traffic.End of the day security is all about protecting the data (information or knowledge)created by the applications (Assets in the enterprise) and the applications runs 24/7.The Fourth generation of Security Management will see the convergence of physicalsecurity with information security. As per Forrester forecast10 Security Convergencespending for Europe and North America combined will be $11 Billion dollars in 2008compare to $506 million in 2004.ConclusionThe objective of this document is to highlight the core of digital security and theexpectations around the core. Around 30-40 years ago we knew that the fundamentals7 CSO Online - Gartner – Future of Enterprise Security – September 15, 2004 Cool Vendors in Security and Privacy – March 28, 2005 Forrester – Your Strategic SOA Platform Vision By Randy Heffner – March 29, 2005 Site:,7211,35951,00.html Development Roles In The World Of Service-Oriented Architecture – January, 13, 2005,7211,35822,00.html SOAP Vs REST – A Comparison – By Randy Heffner, September 13, 2004,7211,35361,00.html Forrester Wave – Enterprise Service Bus Q4 2005,7211,36162,00.html10 Forrester - Trends 2005: Security Convergence Gets Real By Steve Hunt – January 11, 2005,7211,36137,00.html Converged IT And Physical Security: Small But Real – By Laura Koetzle April 15, 2005,7211,36680,00.html
  5. 5. of Atom11 are electron, proton and neutron. As the science progressed we realized thatprotons and neutrons were made up of quarks12 and discovered hundreds of sub atomicparticles13 and then finally to ‘Strings’ and the String theory14, However, electrons,protons and neutrons still remains as fundamental particles (at atomic level).So, let me re-instate the core again.Do we think the above three elements will change in the year 213115. The answer is abig ‘NO’.There will never be a silver bullet which will solve all the problems. What you can do is toimprove the probability of successfully defending any attack. After so much of advancesin medical sciences the common cold still exists!If you know the enemy and know yourself, you need not fear the result of ahundred battles. If you know yourself but not the enemy, for every victory gainedyou will also suffer a defeat. If you know neither the enemy nor yourself, you willsuccumb in every battle. The Art of War - Sun Tzu. Lived: 500-320 BC11 CERN – The worlds largest particle physics lab - Stanford University – Quarks Theory Getting closer to the God Particle - String Theory - What is so peculiar about this year?