At last week’s TF-CSIRT meeting, Gavin Reid from Cisco suggested that we may have been over-optimistic about how much technology can do to detect and prevent incidents. Automated incident prevention systems can be effective at detecting and preventing automated attacks but are less effective against targeted attacks that use human intelligence rather than brute force. In the worst case an organisation that relies too much on automation may end up designing its security stance to suit the available automation systems, rather than the other way around.
The presentation was a reminder that technology should aim to enhance the abilities of human incident responders, not to replace them. This gives computers two roles: to perform basic analysis of simple threats themselves and to help humans investigate more complex ones. Cisco’s logging of internal systems and networks has been increased: they now record two trillion log records and thirteen billion flow records every day. Transmitting this volume of information to a central logging system could itself cause problems for the network so it is instead held in local and regional databases around the world. Incident responders can then run distributed queries across all these databases to obtain correlated information about particular events from networks, servers, personal computers and customised monitoring systems. Having complete information about network traffic even allows negatives to be proved: for instance that between the time when a system was compromised and when the compromise was discovered there were no network flows that would indicate the export of sensitive information from it.
This approach needs lots of systems and storage, and smart incident responders to use them, but given that most reports suggest that cybercrime is at least as great a threat as physical crime, shouldn’t we be prepared to spend an equivalent amount to protect against it?