Comments on: All Hail the Grid http://www.riskbloggers.com/jimreavis/2007/03/all-hail-the-grid/ Security Wisdom Ahead of the Curve Sun, 11 May 2008 23:58:36 +0000 http://wordpress.org/?v=2.5.1 By: Kurt.Seifried http://www.riskbloggers.com/jimreavis/2007/03/all-hail-the-grid/#comment-2697 Kurt.Seifried Sun, 18 Mar 2007 23:55:11 +0000 http://www.riskbloggers.com/jimreavis/2007/03/all-hail-the-grid/#comment-2697 I agree, it reminds me of the same problems faced by intelligence agencies right now. You have an analyst that specializes in a certain geographical area, another specializing in chemical weapons, another in terrorist networks, another in smuggling using baltic sea ports and finally a field agent that saw someone arranging for a shipping container that supposedly contains chinese pottery. If you got them all in the same room and mentioned a few key data points they'd connect the dots, but sadly chances are they are not in the same room, and even when they are the key datapoints are buried in the avalanche of data and noise. Anti-spam systems typically rely on a handful of techniques, but do not for example work with anti-web phishing packages, for example anything containing a link that resolves to a specific IP known to belong to a bullet proof hosting company in China which is probably spam makes it through instead, or a user that never recieves gif or jpg images legitimately starts recieving hundreds of stock touting spams using images. I think we need to start thinking about a standard language/descriptors for security events so that devices can share intelligence and behavior, i.e. if IP X tries to spam you do you block it, or based on the fact that it belongs to a domain that users send legitimate email to (i.e. aol.com) do you allow it anyways but try to block the spam based on other identifiers? If a host nmap scans your network do you look at blocking that entire subnet, or do you actually have legitimate use coming from or going to that network? All these things are impossible since there is no way for devices to share information sadly. Much like warfare attackers typically evolve much faster than defenders, guerilla warfare vs. a traditional set piece battle, cavalry vs. long bows, or machine guns, insurgents and IEDs vs. convoys and civilian contractors. It doesn't work to well in warfare and it certainly won't work for computer and information security. I agree, it reminds me of the same problems faced by intelligence agencies right now. You have an analyst that specializes in a certain geographical area, another specializing in chemical weapons, another in terrorist networks, another in smuggling using baltic sea ports and finally a field agent that saw someone arranging for a shipping container that supposedly contains chinese pottery. If you got them all in the same room and mentioned a few key data points they’d connect the dots, but sadly chances are they are not in the same room, and even when they are the key datapoints are buried in the avalanche of data and noise.

Anti-spam systems typically rely on a handful of techniques, but do not for example work with anti-web phishing packages, for example anything containing a link that resolves to a specific IP known to belong to a bullet proof hosting company in China which is probably spam makes it through instead, or a user that never recieves gif or jpg images legitimately starts recieving hundreds of stock touting spams using images.

I think we need to start thinking about a standard language/descriptors for security events so that devices can share intelligence and behavior, i.e. if IP X tries to spam you do you block it, or based on the fact that it belongs to a domain that users send legitimate email to (i.e. aol.com) do you allow it anyways but try to block the spam based on other identifiers? If a host nmap scans your network do you look at blocking that entire subnet, or do you actually have legitimate use coming from or going to that network? All these things are impossible since there is no way for devices to share information sadly.

Much like warfare attackers typically evolve much faster than defenders, guerilla warfare vs. a traditional set piece battle, cavalry vs. long bows, or machine guns, insurgents and IEDs vs. convoys and civilian contractors. It doesn’t work to well in warfare and it certainly won’t work for computer and information security.

]]>