Digital Edition

SYS-CON.TV
Why Rule-Based Log Correlation Is Almost a Good Idea... (Part 6 - APTs)
Why APT attackers love static rule based correlation

APTs, Advanced Persistent Threats, are the anti-script-kiddies approach to penetrating an environment. Can static rule-based correlation catch these?

APT Attackers Love Correlation Environments
You remember that "False Sense of Security," the feeling that you are secure, but in fact you're not...?

Attackers know that an attack is a process, it is not an event. And they use this - and they use time - to their advantage. They use time scales that static rule-based correlation simply cannot cope with.

If you want to correlate disparate events, you need to keep state information on these events, and of course the longer you need to keep the state, the more expensive it becomes, expensive in RAM, CPU, storage etc etc., to the point where it is not affordable anymore.

Did you know that many/most static rule-based correlation engines cannot keep state for more than a few minutes? This means for example that many correlation engines will not even be able to address the Scenario 1 - Identity Theft - discussed above.

A 3-6 months time window is not uncommon for the APT process to take place, between the early recon to getting the data out of your environment. If you dreamt of being able to use static rules to correlate the early warnings of a recon, with the actual attack using a zero-day or a privilege escalation, with the data leak as it happens, think again. Just take the calculations from the previous installment of this series of blog, and grow the time window to a couple of months. You are now needing to perform 100's or 1 000's of billion checks per second, yes you read right it's staggering.

APT attackers will wait for you to have to recycle your state information before doing the next steps, and will work with your correlation timing to go under the covers. They love it, they know that if you have a correlation engine, you are likely trusting it, and because often "No news is good news", you will not know about this attack in progress.

You put all your eggs in static rule based correlation, do not properly manage 100% of your logs and hence have little forensics capabilities? Recipe for disaster, think that you're safe, get hit, not realize it, and not be capable of easily knowing what happened...

Next installment, we'll conclude on static rule-based correlation with a glimmer of hope and offer pragmatic steps you can take to improve this technology.

About Gorka Sadowski
Gorka is a natural born entrepreneur with a deep understanding of Technology, IT Security and how these create value in the Marketplace. He is today offering innovative European startups the opportunity to benefit from the Silicon Valley ecosystem accelerators. Gorka spent the last 20 years initiating, building and growing businesses that provide technology solutions to the Industry. From General Manager Spain, Italy and Portugal for LogLogic, defining Next Generation Log Management and Security Forensics, to Director Unisys France, bringing Cloud Security service offerings to the market, from Director of Emerging Technologies at NetScreen, defining Next Generation Firewall, to Director of Performance Engineering at INS, removing WAN and Internet bottlenecks, Gorka has always been involved in innovative Technology and IT Security solutions, creating successful Business Units within established Groups and helping launch breakthrough startups such as KOLA Kids OnLine America, a social network for safe computing for children, SourceFire, a leading network security solution provider, or Ibixis, a boutique European business accelerator.



ADS BY GOOGLE
Subscribe to the World's Most Powerful Newsletters

ADS BY GOOGLE

The question before companies today is not whether to become intelligent, it’s a question of how and...
While some developers care passionately about how data centers and clouds are architected, for most,...
ChatOps is an emerging topic that has led to the wide availability of integrations between group cha...
As DevOps methodologies expand their reach across the enterprise, organizations face the daunting ch...
As Marc Andreessen says software is eating the world. Everything is rapidly moving toward being soft...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know ...
Is advanced scheduling in Kubernetes achievable?Yes, however, how do you properly accommodate every ...
The cloud era has reached the stage where it is no longer a question of whether a company should mig...
The need for greater agility and scalability necessitated the digital transformation in the form of ...
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an over...
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection...
In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, provided a fun and ...
"Since we launched LinuxONE we learned a lot from our customers. More than anything what they respon...
DevOps is under attack because developers don’t want to mess with infrastructure. They will happily ...
"As we've gone out into the public cloud we've seen that over time we may have lost a few things - w...
In his session at 21st Cloud Expo, Michael Burley, a Senior Business Development Executive in IT Ser...
Sanjeev Sharma Joins June 5-7, 2018 @DevOpsSummit at @Cloud Expo New York Faculty. Sanjeev Sharma is...
We are given a desktop platform with Java 8 or Java 9 installed and seek to find a way to deploy hig...
"I focus on what we are calling CAST Highlight, which is our SaaS application portfolio analysis too...
"Cloud4U builds software services that help people build DevOps platforms for cloud-based software a...