Given that modern attacks are complex and sophisticated, there is not a single product or tool that will ever be 100% effective at detecting threats. Prevention eventually fails. Therefore, you need protection before, during, and after an attack.
Modern-day networks are large and complicated. It is a nightmare for incident response teams and security investigators because it often takes days and months to identify that their networks were compromised. A wide variety of tools, technologies and platforms are available, like big data platforms, machine learning algorithms, statistical techniques, threat intelligence platforms, reputation feeds etc. It is often confusing for the decision makers to identify what is needed for their environment.
Johari Window Model
Johari Window is a technique invented by psychologists for teaching self-awareness among people. Traits of an individual person are categorized into various windows based on what he/she knows about themselves and what others know about them. This helps the individual to learn how self-aware he/she is regarding personal traits which are open for both self and others, traits that are a blind spot for oneself, traits that are hidden from others, and the unknown traits. A similar model can be used for cyber security breach readiness too.
The Johari Windows model for evaluating breach detection readiness of an organization looks like this
Open/Arena
This window represents traits of a breach that are known to the analyst as well as known to others (which could be security researchers, open threat communities or even adversaries). Examples might include bad IP addresses, URLs with bad reputations, malformed payloads, popular malware campaigns and other known Indicators of Compromise (IOC). Much of an analysts efforts would be in this window. For an analyst to be effective in this window, the tools and techniques used to identify the breaches should be easy to automate and properly configured.
Blind Spot
This window represents traits of a breach that are not known to the analyst but are known to others (say, the wider security community is aware of an ongoing malware assault but the analyst is not). In this window, the analyst is either uncertain of an infection or totally unaware of an infection. This is usually a blind spot and very dangerous situation.
- Analyst is uncertain of an infection due to lack of event log sources, gaps in the process (such as classic NETOPS and SECOPS gaps), lack of integration across different sources, lack of platforms that could provide scale.
- Analyst is unaware of an infection due to lack of frequent updates for signatures, reputation feeds, and other external threat intelligence. Analyst would also have missed it due to excessive false positives generated by the current systems.
Hidden
This window represents traits to look for in a breach that are known to the analyst but not known to others. These traits are usually hidden for others (the product vendors). The analyst may need to appropriately tune the traffic base lines, customize signatures, be aware of historical context, set the local thresholds, and appropriately adopt them to the environment.
Unknown
This window represents traits of a breach that no one is yet aware of. This could be outlier events, black swan events, or zero day exploits for which there are no signatures.
Recommendations
As discussed in each of those Johari Windows, critical analysis of an organization’s recent or ongoing breaches and the analyst’s efforts would help identify the gaps. This would help them choose the right tools to fix the process gaps, if any, as shown below.
Open/Arena
If most of the breaches are in this window, the organization would need appropriate and efficient next generation firewalls and/or breach detection systems. These are advanced, threat-centric systems that offer broader protection against known-bad actors. They work inline with the traffic and/or end points for avoiding the threats instantly.
Blind Spot
If most of the breaches are in this window, the organization may need to fix it’s internal process gaps first. The analyst would need a comprehensive view of activities (users, network, and applications) for cross-correlation of events. Any gaps in acquiring these multiple activity logs would hamper the investigations of the analyst. These activity logs are of enormous volume and, for such cross-correlation, one would need to choose scalable threat intelligence platforms. For an analyst to be effective in this window, the right vendors capable of providing quality and timely reputation feeds should be chosen. The tools should also have flexibility to tune any false positives.
Hidden
If most of the breaches are in this window then one would need tools that are flexible, customizable and integrable with other platforms through API’s, etc. For an analyst to be effective in this window, tools should be flexible enough for any exploratory data analysis. For example, does the tool enable an analyst to export the data into other in-house or commercial tools to write queries, submit investigative jobs? Does the tool offer only canned reports which are less flexible for additional analysis?
Unknown
If most of the breaches are identified in this window, then one would need tools that can learn on their own about anomalies and tools that are capable of performing network behavior analysis. The techniques needed in this window are based on advanced cutting-edge technologies like machine learning, artificial intelligence, and statistical algorithms. So, the tools should have such capabilities.
Also, importantly, each of these are not mutually exclusive but complementary needs. Further, the organization may consider outsourcing it’s threat defense for better holistic breach detection.
Conclusions
It may also happen that there are multiple gaps across windows. In that case, an appropriate and holistic plan to address them with a combination of these tools is needed, along with fixing internal process gaps. The tools suggested above are illustrative. They sometimes perform across windows (having overlapping functionality). They are not necessarily confined to a particular window. An in-depth analysis of an organization’s requirements is needed for the appropriate choice of tools.
I like the use of the Johari Window model for this purpose. Might also be useful to do a Johari Window for Threats and/or vulnerabilities.