A Conversation with Cristophe Huygens, CTO of MSSP Ubizen, Top Gun in the Cockpit of the SOC

by rthieme on August 17, 2002

Top Gun on the SOC

in Info Sec Mag

August 2002

Top Guns

When mind and machine meet in the cockpit of a SOC.

BY Richard Thieme and Andrew Briney

Blinking lights. Bells and whistles. Frosted glass windows. Big-screen LCDs projecting fancy UI’s, colorful pie charts and streaming binary.

You expect eye candy when you tour a managed security operations center (SOC). You want mystique and intrigue, Tom Clancy, War Games and Mission Impossible. And the MSSPs are only too happy to oblige.

The pomp and circumstance is indeed impressive. But as it turns out, the most important computer in every SOC is the oldest computer of them all: the human brain. Security software has made great progress in its ability to consolidate, correlate and analyze event and log data from multiple devices–firewalls, IDSes, routers. But the people who sit in the cockpit of an MSSP SOC say old-fashioned intuition remains their most reliable tool when analyzing security events.

“Technology helps classify events, but has limitations,” says Cristophe Huygens, CTO of MSSP Ubizen. “We see these technologies more as traditional decision-support systems. Some straightforward rule-based classification can be done automatically, and you can relate that to a whole set of additional information. For instance, something you see in an intrusion detection probe may bring up something you saw in the firewall logs, so you can look at it from a holistic perspective and make a decision.

“That’s where the art and the magic of the decision-making process is difficult to qualify,” Huygens adds. “If it were simply based on rules, we would not need security analysts.”

Although it may sound obvious, a clear understanding of the distinction between what machinery can and cannot know is critical. Increasingly sophisticated IDSes, data mining software and security information management (SIM) systems can be used to identify and automatically respond to events using preset rules. But automation only gets you so far, Huygens says.

“We’re moving toward more and more accurate rules. If we had accurate measurement tools and a good overview of the situation at the customer’s site–his entire system, his vulnerabilities–then in theory we could specify a rule-based response,” he says. “But we don’t. That lack of information must be replaced by experience, customer intimacy, knowing how the customer does things.”

In effect, Huygens says, “The automated system is saying to the analyst, ‘Sorry, I don’t have enough information about the infrastructure or the signatures to figure out what’s going on here. You take over.'”

Human Heuristics

The word “heuristics” often comes up in the context of advanced detection of viruses or intrusions. Software employing heuristic scanning attempts to identify attacks based on artificial intelligence and pattern matching.

But in the cockpit of a SOC, heuristics takes on a much more human element, says Chris Trudeau, director of technical operations at TruSecure‘s managed security division in Atlanta.1

“The technology isn’t going to help you with the unknown,” says Trudeau. “The technology can identify all the things that don’t apply to a specific set of rules or what’s acceptable. But understanding the output of that–determining which events are real and serious and which are of no concern–that requires an actual human to look at them. And that’s where human intuition comes into play.”

The oft-cited refrain of the gun lobby–“Guns don’t kill people; people kill people”–is often used as a metaphor for computer security. As in: “Computers don’t hack computers; humans do.” While the comparison can be useful in understanding the psycho-social aspects of intrusion detection, Trudeau suggests that it’s just as important to pay attention to the usage patterns of the other humans in the cycle: the end users.

“The large majority of things that would be classified as an incident are based not on somebody trying to get in to do bad stuff, but on the end user not understanding what they’re doing,” he says. “There are far more alerts resulting from users who just don’t understand what they’re doing than from hackers who are trying to do bad things.”

Element of Subjectivity

SOC operators will tell you that turning data into knowledge and content into context involves a lot of subjectivity. More to the point: When decision-making is equal parts technology and human intuition, you’d better have multiple levels of analysis to ensure accuracy.

Like many SOCs, Herndon, Va.-based NETSEC uses a multitiered event escalation process. Some decisions are made by junior support analysts, who sit in the trenches 24/7 looking for anything out of the ordinary. These Level 1 analysts err on the side of caution, says Derrick Jamieson, director of NETSEC’s NSOC operations. If there’s any doubt about the event in question, it gets sent up to an Analyst 2, then to an Analyst 3, and finally to Jamieson himself.

“By the time it reaches me, it has been confirmed as a malicious attack, potentially an intrusion, and is classified as a full-scale incident,” says Jamieson. “Client intervention has started, and I’m engaged in both resolving the incident and being a liaison with the client.”

NETSEC’s escalation policy reduces the likelihood that any analyst’s bias will distort the team’s decision-making. “There’s no traditional methodology for doing data analysis,” Jamieson says. “You develop it with your own style and flair. It’s how you see the sun and how I see it. Analysis is the same, based on subjective perception.”

A SOC’s multilayered decision-support infrastructure is further strengthened by the diversity of the analysts themselves, who often have varied yet complementary backgrounds. Tina Bird, director of network intelligence for Counterpane Internet Security, decides when the firm should issue alerts about new threats. Bird is a former systems admin who has a Ph.D. in astrophysics and likes to study mysticism–all of which she brings to bear when evaluating event data.

“I learned as a research scientist to look at data and infer what was causing the patterns I was seeing,” Bird says. “Today, I’m using those same skills. I watch myself make decisions and can see what I’m paying attention to. What makes me able to do this is a background in Zen meditation. I learned to observe my mind and see what I was keying on.”

The SOC staff’s best weapon is a balance in the knowledge base and expertise of its staff, Bird says. “That there is no well-defined career path in infosec isn’t all bad. Like an intelligence analyst, you have to see things in different ways and always be aware that you don’t know the angle from which your attacker is coming.”

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: