Autistic Security Event Monitoring

Best Practices, Management 1 Response »
Sep 232009

Wired Magazine recently published a set of articles titled 12 Shocking Ideas That Could Change the World. Among them was a suggestion by a Danish gentleman named Thorkil Sonne, of Specialisterne, to hire autists.  His reasoning is that people with autism or asperger’s are good at routine tasks;

“As a general view, they have excellent memory and strong attention to detail. They are persistent and good at following structures and routines”

So, I got to thinking; one of the discussions I had with colleagues following a recent meeting with a provider of managed security services (see previous post) dealt with the idea that building and maintaining a decent SOC and log/event management procedure is a near-impossible task, due to the difficulty of creating a sustainable operations process; one of my co-workers made the point that most people would tend to get bored with the repetitive nature of looking through logfiles, or even dealing with things like security advisories and updates.

I countered with the assertion that your basic event management and intelligence correlation should, to a large degree, be automated anyway (whether non-dedicated companies can do this as well as, or better than, dedicated outsourcers is a separate discussion that’s probably best investigated on a case-by-case basis.)  However, the routine nature of any IT operations-type job aside, he did have a point that (a) even when you do automate everything, you’ll still want a degree of human second-guessing, and (b) that gets mighty dull.

It seems like a logical conclusion that if Thorkil Sonne is right, and autists (is that a word?) can really be excellent at work that requires focus, consistent attention to detail despite the drudgery involved, and clear rules, why not use these guys for exactly the tasks described above?  Someone who is excellent at pattern detection, and is willing to follow the same process day after day after day would seem to be ideal for an SOC monitoring / log & event analysis position.

I don’t want to come across as somehow insensitive, since I know next to nothing about autism, but purely going by the value proposition put forward by Specialisterne, it seems like a rational conclusion to hire the best people for any given job — whether or not the fact that they are qualified at what they do stems from extraordinary dedication, experience, or a mental condition should be completely irrelevant.  And in the process, maybe do some good for someone who might be difficult to employ otherwise.

Posted by john at 6:26 pm

Stop DDoS and Worms at ISP Level?

Architecture & Design, Firewalls, Network Security No Responses »
Sep 212009

I had a workshop at the offices of a major international backbone provider today, on the subject of security logging/monitoring/response and DDoS defense for large companies.

1. Tarpits

In the course of providing managed security service, part of the problem faced by these guys is the proliferation of custom exploits and attacks, according to their research up by 59% this year (I’d link to the pdf, but since I’m under NDA with the client I was representing, I’m not entirely sure if it’d be appropriate. You figure it out.) As it turns out, part of their mitigation strategy for quickly identifying new attacks is to set up all non-allocated netblocks they own as gigantic honeynets, for research purposes.

I asked one of their sales guys why they didn’t allocating a small portion of these IPs as tarpits?  It’s not a new technology by anyone’s estimation, and given the sheer scale of IPs they’re using as honeypots, it wouldn’t be a big sacrifice, considering that a single LaBrea installation can trap hundreds of worms and stop older beasties from clogging up the tubes.  His response?  ”Our mission isn’t to save the Internet.”

Honestly though, it should be — it’d be in everyone’s interest, including their own, to minimize capacity used by worms and bots, bandwidth that could be used productively for other purposes.  To this end, I had an idea; I hadn’t been aware of the huge amount of unused IP space available to providers of this size.  I also recall various organizations and individuals having excessive IP allocations removed and thrown back into the pool (a good move, considering that the total filling up of IPv4 space has been predicted with clockwork regularity every year since at least 2000.)

So, why not have IANA and the regional RIRs set it as a condition that 5% of any unused IP space an organization owns must be allocated for the public good — i.e. sticky honeynets / tarpits?

2. Stopping DDoS at the Edge

We started discussing DDoS mitigation strategies for big customers; this particular ISP’s service consists of a cloud-based solution.  Which brings me back to the idea that, since counter-attack is kind of a silly idea when you’re fighting 100,000+ hosts, (plus, do you really want companies / governments deciding whom they get to actively knock off the net?) why don’t we unearth the concept of stopping DDoS at the edge?

This has been around as a concept for some time; it would require a fair amount of coordination on the part of ISPs, and, potentially, governments, considering the magnitude of attacks suffered by Estonia in 2007, as well as China’s and North Korea’s burgeoning military / government-sponsored cyberwar capabilities.  However, it seems to make sense to me that figuring out how to stop baddies getting in is a far more sensible goal than stopping them on the way out.

Remotely Triggered Black Hole Routing is a reasonably fresh approach to this, allowing the remote reconfiguration of BGP routes to drop malicious DDoS traffic.  Older concepts include Diadem, a combination of software and dedicated hardware.

There are a few major problems with the idea:

a) It would require a massive amount of CPU power.

Considering how much time and money is being invested by Cisco and the likes in deep packet inspection technologies (not always for good purposes — caveat, very one-sided article, but the point holds), I wouldn’t find it to be such an insane development goal to create and deploy dedicated edge routers capable of on-the-fly reconfiguration.

b) It would require large amounts of co-operation and coordination

Well, yes.   The Internet is supposed to work on the basis of this.

c) It has the potential to knock innocuous sites offline

This is the biggie; using spoofed source origin IPs, it’s conceivable that anyone could be falsely accused of launching a DDoS and in turn be knocked off.  The ISP I spoke with today actually had the tools to deal with this; they worked on the basis of source IP trust levels for customer IPS deployments.   Roughly speaking, every dodgy-looking connection is checked by the provider against a dynamic database of activity emanating from that IP / IP range over its backbone network.  Connections (not contents) are archived for around two weeks; the security management service informs customers of the trust level of that IP.

This could conceivably be adapted to prevent false accusations of DDoS traffic — for example, by placing modified, heavily audited IDS probes at company networks’ egress points which match “real” traffic emanating from the company with the ISP’s database of traffic claiming to come from this company — bogus connections would thus not be attributed to the innocent victim.  It’d be quite tricky with individual users, but it would make it fairly difficult for a botnet to indirectly knock a company or edge ISP offline by getting backbone carriers to drop its traffic due to spoofing.

d) Would you trust a consortium of governments / ISPs to decide whom to blackhole?

Obviously this is a problem, but I believe that the distributed nature of the Internet is proof against such shenanigans.

Comments?

Posted by john at 7:45 pm
© 2010 Chakraborty Software Suffusion WordPress theme by Sayontan Sinha