Fun with Cybersecurity – Weekly Blog Posts on Cybersecurity
The purpose of these weekly blog posts is to demystify Cybersecurity concepts and present them in a demonstrable way. The approach is to present what and how; allowing the reader to think about why!
Sam Analytic Solutions – provides Cybersecurity Solutions! We have a homegrown process that saves time and effort for customers who have issues with, meeting compliance objectives in ICS Cybersecurity, developing an Internal Security program or practice or conducting routine Cybersecurity vulnerability assessments. Our Cybersecurity services are packaged (customized and personalized) to expedite adoption and be cost effective offering a higher ROSI (Return on Security Investment).
It Happens! Events in Cybersecurity
If there is one concept that has shaped our thinking about Cybersecurity it would undoubtedly be, “Events”. The concept of “Events” underpins our perspective of Cybersecurity. In this blog post we look at what and how of events and its ramifications in the context of Cybersecurity.
Events as a Concept
An Event, is generally defined as, “an occurrence in time and space”. Our understanding of Cyberspace is constructed using an Events based model. There are two key concepts to be understood in the Events based model – Events and States. Every object in Cyberspace has a State (a condition described as set of variables and corresponding values). Events occur when objects’ states change and vice-versa. This is a very significant aspect of Cyberspace. No State change, no Events and vice-versa! In other words, every event is evidenced by a State change. As Cybersecurity professionals we are interested in those occurrences (Events) that can be significant to the behavior of Cyber Assets (objects) under our watch!
Past, Present and Future
Cybersecurity professionals use the above idea to deduce what occurred, predict what is likely to happen and most often, observe what is happening within a given security perimeter of Cyberspace (or system). The changing States of objects (typically variables with their respective values) are continually stored (logged) and these (stored datasets) logs are then analyzed to determine the nature of Events that occurred. The patterns that are discovered are documented and shared with the community; forming Cybersecurity Intelligence.
Sensors, Listeners and Logs
Programs that help us capture Event Information are called, Listeners or Sensors. Sensors can be hardware or software. The nature of sensors is based on the nature of Event Information that needs to be captured. Example, motion sensors are used to detect movement; which in turn triggers a light and video camera or notifies a responsible person.
Listeners on the other hand are receivers of Information (Data). Information, that is relayed from a sensor is collected by a Listener program and stored in a log file. Listeners, as the name suggests continually wait for data; when received, they faithfully log it. Data in the log files are then parsed and analyzed to understand the nature of events that took place.
Cybersecurity professionals rely heavily on logs and it is important that logs be maintained for optimal periods of time. It is also critical to plan the information (datasets) that will be captured in the logs. Many a time, irrelevant data gets captured in the logs and does not add value in analyses and pattern finding. This kind of irrelevant data within the given context is termed, noise. Data Relevance is a matter of experience and professional judgement in a given environment. It is also possible to lose sight of details because of too much data being captured. Determining optimal data for capture is termed, “clipping levels”.
Risk Management as the bedrock of Cybersecurity
To secure (protect) Cyberspace (Cyber assets – Networks, Hardware and Software) we need to continually keep track of the states of Cyber assets and ensure that certain kinds of events DO NOT occur – events that have the potential to adversely impact operations and systems (threats). On the other hand, we need to ensure that certain kinds of events DO occur; Events that have a positive impact and help reach goals.
The level of impact on operations and systems, given the potential impact of a threat and the likelihood of that threat occurring is called, Risk. Risk Management provides a quantifiable approach to understanding Risk (events that are likely to have a negative impact on our objectives and information systems)
FIPS (Federal Information Processing Standards) 200 defines Risk Management as, the process of managing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system.
Taxonomy of Events
Events can be classified in several ways. Events occur on our desktops, laptops, cellphones and other devices like IOTs (Internet of Things) or the IIOT (Industrial Internet of Things). Events could also occur on Network devices like firewalls, routers or storage devices and Cloud based infrastructure. Events occur within applications and operating systems.
Events that occur on networks, servers, storage systems and virtual machines can be categorized as Infrastructure Events. In an ICS (Industrial Control System) or IOT/IIOT any event that occurs in hardware related components will be an Infrastructure Event.
Events that occur in Operating Systems, Middleware and Runtimes can be classified as Platform Events. In an ICS scenario, events within the firmware on a PLC would be Platform Events. On a cellphone, an iOS or Android update would be a Platform Event.
Events in Software Applications and Data related to applications fall into this category. A Web Browser crashing on an Ubuntu Laptop or a Microsoft Excel file corrupted are examples of Application Events. In an ICS scenario, the receipt of data by a PLC from a field device is an Application Event.
Internal and External Events
Another simple classification could be events that occur within a security perimeter and those that occur outside.
Keeping track of events is an important task in Cybersecurity. Routine review of Cyber Asset logs and collecting of event information from sources like employees, news agencies, social media and others is central to good Cybersecurity practices. To be useful, event information should, at the least have the following attributes:
Event timestamp – when the event occurred. It is important that timestamps have a standard format across all Cybersecurity/Information collection systems within and outside the enterprise. Further, time settings on all devices should be checked regularly and clocks synchronized. Incorrect timestamps cause a lot of confusion and produce erroneous results during analyses!
Event Source – where the event occurred. This should include an identification that helps identify the device uniquely. Example: IP address.
Event Type – based on an agreed upon classification.
Cause of the Event – Who or What caused the event, the person, program or other action that resulted in this event.
Event brief description – a couple of lines describing the event – what happened.
Concept of Alerts
An Alert is a warning of an adverse event or threat. When a threat is detected in Cyberspace, based on the configuration of Cyber Assets, a warning is sent to persons and systems that are registered to receive the warnings. Alerts play a key role in safeguarding Cyberspace and Cyber Assets. Alerts are mapped to events. When specific events occur, corresponding alerts are triggered. How alerts are triggered, communicated and responded to, is an important aspect of any Cybersecurity Plan or Policy.
Preparing and Responding to Events
Bad things happen! Systems fail, humans make mistakes, sometimes the bad folks win. An event that causes a negative impact is called an Incident. Every Incident is an event, but every event is not an Incident! Incident response is a critical function and is handled by a team of professionals – the incident response team, example, Computer/Cybersecurity Incident Response Team (CIRT). A CIRT tries to minimize the impact or in a best-case scenario avoid all negative impacts because of the incident.
When an Incident occurs (example, data breach), the first step is called, Triage. During the triage the Incident Responders prepare an action plan – a list of things to do and prioritize the list. Having a prioritized, agreed upon action list signals the end of the triage. Certain types of Cybersecurity incidents have to be reported to law enforcement and sometimes made public. Please take the advice of a Cybersecurity Consultant regarding the appropriate action for your nature of business/industry.
An Event based model for Cybersecurity provides several benefits. An Event is an occurrence that can be significant to the behavior of objects within a security perimeter or boundary in Cyberspace. There are two key concepts in an Event based model – Events and States. The state of an object (or Cyber Asset) is a dataset of variables and corresponding values. Recording the states of objects over time is called, Logging. Logs are critical for Cybersecurity professionals to understand what happened and derive patterns for predicting future events (threat in particular) in Cyberspace. Risk Management, the bedrock of Cybersecurity, is a quantifiable extension of the Event based model. Collecting event information, classifying events, communicating and building Cybersecurity Intelligence for the community is a daunting task facing todays Cybersecurity professionals.