Digital Edition

SYS-CON.TV
Why Rule-Based Log Correlation Is Almost a Good Idea... (Part 6 - APTs)
Why APT attackers love static rule based correlation

APTs, Advanced Persistent Threats, are the anti-script-kiddies approach to penetrating an environment. Can static rule-based correlation catch these?

APT Attackers Love Correlation Environments
You remember that "False Sense of Security," the feeling that you are secure, but in fact you're not...?

Attackers know that an attack is a process, it is not an event. And they use this - and they use time - to their advantage. They use time scales that static rule-based correlation simply cannot cope with.

If you want to correlate disparate events, you need to keep state information on these events, and of course the longer you need to keep the state, the more expensive it becomes, expensive in RAM, CPU, storage etc etc., to the point where it is not affordable anymore.

Did you know that many/most static rule-based correlation engines cannot keep state for more than a few minutes? This means for example that many correlation engines will not even be able to address the Scenario 1 - Identity Theft - discussed above.

A 3-6 months time window is not uncommon for the APT process to take place, between the early recon to getting the data out of your environment. If you dreamt of being able to use static rules to correlate the early warnings of a recon, with the actual attack using a zero-day or a privilege escalation, with the data leak as it happens, think again. Just take the calculations from the previous installment of this series of blog, and grow the time window to a couple of months. You are now needing to perform 100's or 1 000's of billion checks per second, yes you read right it's staggering.

APT attackers will wait for you to have to recycle your state information before doing the next steps, and will work with your correlation timing to go under the covers. They love it, they know that if you have a correlation engine, you are likely trusting it, and because often "No news is good news", you will not know about this attack in progress.

You put all your eggs in static rule based correlation, do not properly manage 100% of your logs and hence have little forensics capabilities? Recipe for disaster, think that you're safe, get hit, not realize it, and not be capable of easily knowing what happened...

Next installment, we'll conclude on static rule-based correlation with a glimmer of hope and offer pragmatic steps you can take to improve this technology.

About Gorka Sadowski
Gorka is a natural born entrepreneur with a deep understanding of Technology, IT Security and how these create value in the Marketplace. He is today offering innovative European startups the opportunity to benefit from the Silicon Valley ecosystem accelerators. Gorka spent the last 20 years initiating, building and growing businesses that provide technology solutions to the Industry. From General Manager Spain, Italy and Portugal for LogLogic, defining Next Generation Log Management and Security Forensics, to Director Unisys France, bringing Cloud Security service offerings to the market, from Director of Emerging Technologies at NetScreen, defining Next Generation Firewall, to Director of Performance Engineering at INS, removing WAN and Internet bottlenecks, Gorka has always been involved in innovative Technology and IT Security solutions, creating successful Business Units within established Groups and helping launch breakthrough startups such as KOLA Kids OnLine America, a social network for safe computing for children, SourceFire, a leading network security solution provider, or Ibixis, a boutique European business accelerator.



ADS BY GOOGLE
Subscribe to the World's Most Powerful Newsletters

ADS BY GOOGLE

The explosion of new web/cloud/IoT-based applications and the data they generate are transforming ou...
CI/CD is conceptually straightforward, yet often technically intricate to implement since it require...
Containers and Kubernetes allow for code portability across on-premise VMs, bare metal, or multiple ...
Enterprises are striving to become digital businesses for differentiated innovation and customer-cen...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As au...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't com...
The now mainstream platform changes stemming from the first Internet boom brought many changes but d...
DXWorldEXPO LLC announced today that All in Mobile, a mobile app development company from Poland, wi...
DXWorldEXPO LLC announced today that Ed Featherston has been named the "Tech Chair" of "FinTechEXPO ...
Chris Matthieu is the President & CEO of Computes, inc. He brings 30 years of experience in developm...
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: D...
Andi Mann, Chief Technology Advocate at Splunk, is an accomplished digital business executive with e...
In this presentation, you will learn first hand what works and what doesn't while architecting and d...
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids...
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitori...
We are seeing a major migration of enterprises applications to the cloud. As cloud and business use ...
If your cloud deployment is on AWS with predictable workloads, Reserved Instances (RIs) can provide ...
Disruption, Innovation, Artificial Intelligence and Machine Learning, Leadership and Management hear...
We build IoT infrastructure products - when you have to integrate different devices, different syste...
Consumer-driven contracts are an essential part of a mature microservice testing portfolio enabling ...