Summary & Review: Building an Early Warning System (by Securosis)
Summary / Review
The paper “Building an Early Warining System” by Securosis starts by detailing the typical situation: you can’t get ahead of the threat, security is inherent reactive. You have to use tools to be as close to the threat as possible. An Early Waning System can be one of the tools.
“A good hockey player plays where the puck is. A great hockey player plays where the puck is going to be.” – Wayne Gretzky
Critical points
- you need a clear understanding what’s going on in your environment (e.g. by using toolg like SIEM)
- you need to know what’s happening around you (attackers, exploits) and how this affects you
Evolution of threat intelligence
- anti virus research
- shared spam research (honeypots)
- IP and file reputation
- investigating techniques and data soureces used by the bad guys; closed research
- publishing security research (blogs, media)
The Early Warning Process
- Internal Data Collection
- aggregate data
- SIEM
- log management
- vulnerability management
- network forenscis
- Baseline
- establish baselines: what is normal?
- look for deviations of baselines
- External Threat Feeds
- cross reference against external data
- threats and malware
- vulnerabilities
- reputation: anything should have a reputation
- brand usage
- “[…] unless you get a feed of threat information you can integrate into other tools and check against your internal data, the intelligence is useless for Early Warnings.”
- Determine Urgence
- interpret data
- determine threat for own environment
- ” Relevance x Likelihood x Proximity = Early Warning Urgency “
- e.g. list of business partners with interfaces and data flows, notification SLA with partners
- Act
- do nothing
- monitor
- take action
Major capabilities of an EWS
- open
- scalable
- search
- urgency scoring
“So one success criterion for implementing an EWS is realism, about what it can do and what it can’t.”
Conclusion
As expected from a Securosis paper: clear structured content with detailed and up to the point information.
How to get
Basis of this post was version 1.4, 2013-01-22
Intro / summary: https://securosis.com/research/publication/building-an-early-warning-system
Paper download: [PDF]: https://securosis.com/assets/library/reports/Securosis_EarlyWarningSystem_FINAL.pdf