Cyber Security Concepts
Created July 2019
Note: Click hear for more detailed discussion on Security. 👈✅
Hey,
I always wanted to write what learned about the 'Security" concept. All this information is from my personal experiences, reading content published on web, books and articles.
Basic Ideas on Security :
If you want to skip the intro and jump to Machine Learning implementation for security, goto "Machine Learning for Security" below.
And here it is....
From my understanding and experience, Security is not a framework or an architecture. It is based of discipline and practices that would prevent exposing Enterprise assets from being "misused".
In all the concepts can be divided into the following for better explanation:
Integrity: It is based of Authenticity. Only the person who authenticated should be able to alter/ update or delete information. No other person should be ever be able to alter the information without permission. It also enforces reliability of source of information. "You are really who you say you are".
Confidentiality: Only the person who is authorized to the data or information should be allowed. if that does not happen, it called a "breach". Breach causes data to be stolen and used illegally to gain access to other assets. Data breach is one of the top security concerns for companies that deal with large about of highly confidential customer information.
Two level security and using HTTPS along with Cryptography allows to companies to reduce Integrity and Confidentiality concerns. Another important aspect in security is using common sense.
Availability: When a "bad guy" does not get accessed to the data or information they tried to cripple the system by making the system/server unavailable for genuine access.
OSI Level 2 Data Link Layer and OSI Level 3 Network layer, Level 4 Transport Layer security becomes highly important in addition to Host layers. How can you detect tons of API calls coming from a IP address and how do you handle the situation is one of the ideas behind this. Safeguarding MAC address from port flooding becomes important.
Before we go into TCP/IP layer secuirty detailes, Let me please talk about concept of Vulnerability.
Vulnerability: I call this as a human error caused while designing or coding or even documenting the product. Not enough care was taken to Authorize, Authenticate, Evaluate and Encrypt the data causes all sorts of Vulnerabilities. For example, if the Access Control List used to control how gets the access to what and when and how, gets compromised by a software, then how good is your security? Also, another type of Vulnerability is when user gets exposed because of clicking an Hyperlink in a HTML pages (out of phishing attack).
Trust with assumptions could be another cause of vulnerability. What if he ARP (Address Resolution Protocol) is somehow altered by a rogue and now any software that uses the ARP cache to map MAC to wrong IP. This could be pretty bad. Bottom line is everything that holds data/info needs to be encrypted. One way i see companies avoid the HTML based email Phising attack is use software that detects the actual senders email address vs what they pretend to be AND using URL defense software.
Some vulnerabilities:
1) SQL Injections
2) Down level or compromised Authorization and Authentication
3) Security (Mis)Configuration.
The #1, 2, 3 all are self inflicted wounds as the Security "system" does not understand the entire Enterprise policies and procedures to validate inputs, upgrade, grant, track and denial of the service.
Here is the picture of OSI model (obtained from Wikipedia)
Source: https://en.wikibooks.org/wiki/Fundamentals_of_Information_Systems_Security/Telecommunications_and_Network_Security
As we see the Layer 1, 2, 3 are HW/ media layers and compromising these layers could be disastrous, I shall discuss this concept a bit later. But i would like to know speak about how machine learning can help with Security.
Machine Learning for Security
Let me start with the problem statement.There is too much data that machines, software (OS, Servers, application programs) produce. it become daunting task to analyze the data and come up with meaningful insight and take actions in response. Reacting is the worst thing and is the consequence of your unpreparedness.
Coming to analyzing data, correlation, Auto correlation (in Time series analysis) can help identify how different events occurring can be related ending in a "event". As we know the analysis is as good as your data. So Data gathering, pipe-lining, cleaning are very important for security. Data Mining is like digging in the grave yard. Sounds graphical but it is done as a long term analysis. We need instant analysis and response (fast and accurate in real time).
Machine learning concepts that i found that are super useful are:
1) Supervised learning -
Time series
Simple Linear, Multi Liner,
Polynomial,
Decision trees,
Classification model - Logistic (Yes/No), KNN
2) Unsupervised -
Clustering, and Pattern recognition
Software like Splunk enable to bring data from several data points (via its REST interface) together and see all the events that happened around the "pain" period. This is very beneficial to understand all the happened and analyze and understand the "big pucture"
The SIEM should not stop at just Information and Event management. It means we are in reactive mode if we are just sending emails and messages after things happen. One use case could be, run Regression, correlation and auto correlation to identify what parameters are dependent and how deep they can influence and get influenced.
Once we have a conclusion (the out come) and all the data inputs, running statistical regression models could 1) identify the dependent variable of "bigger" influence. (2) the impact on the final outcome.
When the outcome is not yet known, we want to see how things are adding up as the whole, Clustering and pattern recognition helps a lot. For example, there are too many events happening around 9:00AM every night in some Geographical area. Is this a pattern that we are aware of or something that we need to look deeper?
I shall discuss more in coming days........
Sources:
1) https://developer.mozilla.org/en-US/docs/Web/Security
2) Wikipedia.org
3) Machine Learning for Security
Comments
Post a Comment