Government Technology

Anomaly Detection: Front-Door Infrastructure Security

"Outlier Detection"

September 20, 2012 By

The Digital Communities article "Have Hackers Won?" -- with Columbia Computer Science Professor and Federal Trade Commission Chief Technologist Steven Bellovin -- gave a clear explanation of security limitations because of the size and complexity of buggy software code, and limitations in authentication and encryption. "Authentication won’t do it," Bellovin explained in the article. "In most breaches, the bad guys go around the strong authentication, not through it."  He went on to say that as part of a national study, he analyzed every CERT advisory issued up to 1998 and found that 85 percent of them were code problems, configuration errors, etc., that encryption couldn’t fix.

While this may be a difficult problem to address, it is not impossible. It does, however, require a new way of looking at what real security is and how to effectively secure business process information.

Understanding True Security

While technology has delivered benefits, it has also delivered a new set of security risks and business problems, including large volumes of questionable data; vague accountabilities, and ongoing maintenance of business rules, to name a few. As we have digitally automated our business and control processes, we have reached a point of complexity from which it is impossible for a manager to see the-day-to-day actions of these processes or even detect a security breach.  New visualization tools are necessary to assist managers if they are to accurately and effectively direct these business processes.  This is where anomaly detection will help. 

Currently, data collection, buggy code, network encryption and authentication are all viewed and audited at the system output level. Real-time system data and unwanted business events could be detected too late in this type of security system. Security then must be viewed, audited and authorized at the event enterprise input level to achieve higher security levels required for critical infrastructure.

Our current security systems are collecting so many security no's at the output level that intrusion prevention and detection systems are reaching the point of overload. To date there have been over 17.7 million viruses detected.  Add bandwidth eating high-end encryption to the mix and things are eventually going to start slowing down. So how do we handle all these security no's?  The answer to this problem is simply say yes.

It's almost impossible to manually watch, detect, audit and correct all these business activities in the complexity of today’s business processes.  Even when doing this through coordinated government compliance like NERC SIP in securing the power grid, the minute we think we are done and walk away something changes.  These compliance processes cost a lot of money, take a lot of time and can’t guarantee security anyway.

So what if we could create an anomaly algorithm that could audit, detect and approve positive input events in business processes. And if we could do this then wouldn’t risk management and security actually just be a byproduct of allowing these positive business events to occur?

"Anomaly detection," says Wikipedia, is also called "outlier detection" and refers to detecting patterns in a given data set that do not conform to established normal behavior. The patterns thus detected are called anomalies and often translate to critical and actionable information in several application domains. 

In the workplace predetermined activities of employees, information systems and combined human and information system events produce specific desired business process results.  Anomalies are tools that can specifically detect and audit the defined patterns of these combined human and system activities.  A change in the normal pattern of these activities can offer a business manager very specific information that can assist in improving the business process or even detecting a major business or system breach.

Real-World Fix

This may seem like security fantasyland or something that is still on the drawing board but it’s not. The problem is not that it is not available or it doesn’t work. It is available.

Like most paradigm shifts it takes awhile for people to get it and human nature sometimes confuses threats with benefits. We need to start leveraging tools that can view, audit and improve business processes and improve security at the same time.

Larry Karisny is the director of Project, a smart-grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.

| More


Larry Karisny    |    Commented September 24, 2012

You can find active Linkedin discussions on the article at the following groups: Cyber Security in Real-Time Systems Intelligence Based Cyber Security

Ed Hubler    |    Commented September 26, 2012

Anomaly based detection solutions were specifically engineered to overcome the limitations of signature based security methods. Anomaly based detection products are based on the simple premise that unusual means suspicious. These products learn what are usual and expected commands or traffic to a system and then apply rules to any unusual (anomalous) commands to identify attacks. Anomaly based detection products are credited as having a greater ability to stop new and novel attack vectors. However, anomaly detection products have many inherent weaknesses. They are often computationally intensive, they require expert knowledge to define their rules and often require manual identification of any new attack. Anomaly detection products may also be prone to high false positive rates if their rules are too broad and high false negative rates if their rules are too narrow. The most significant weakness with anomaly detection products is known as blind spots. That is, their inability to identify attack vectors that are close in form to what would be a usual or expected command.

Bill Kim    |    Commented September 27, 2012

I am curious if, in paragraph six, you are intentianally making reference to SIP, the Session Initiation Protocol, a signaling protocol for Internet conferencing, telephony, presence, events notification and instant messaging or thinking about CIP, the Critical Infrastructure Protection program which coordinates all of NERC’s efforts to improve physical and cybersecurity for the bulk power system of North America as it relates to reliability. One seemed more appropriate than the other in this particular reference since SIP has little to do with grid security. Just curious.

Larry Karisny    |    Commented September 28, 2012

Bill. Typo correction submitted on SIP. Should be NERC CIP. Ed. See above links on a thorough discussion about anomaly detection. Feel free to contact me directly.

Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
McAfee Enterprise Security Manager and Threat Intelligence Exchange
As a part of the Intel® Security product offering, McAfee® Enterprise Security Manager and McAfee Threat Intelligence Exchange work together to provide organizations with exactly what they need to fight advanced threats. You get the situational awareness, actionable intelligence, and instantaneous speed to immediately identify, respond to, and proactively neutralize threats in just milliseconds.
Better security. Better government.
Powering security at all levels of government with simpler, more connected IT.
Cybersecurity in an "All-IP World" Are You Prepared?
In a recent survey conducted by Public CIO, over 125 respondents shared how they protect their environments from cyber threats and the challenges they see in an all-IP world. Read how your cybersecurity strategies and attitudes compare with your peers.
View All

Featured Papers