© Critical Informatics Inc., All Right Reserved 2016

Threat Intelligence Blog

The   Been   There,   Bled   There    Blog   that   covers,   well,   just   about   anything   that   we   feel   you   can gain   critical   insight   from.      We   wear   our   battle   scars   with   pride   and   are   grizzled   enough   to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
(206) 687-9100
Critical Insight. It’s what we provide, and the name of our next generation product, just released July 31. The   name,   the   product,   the   new   capabilities   and   a   new   perspective   on   how   to   achieve   all   of   it   seemed   worthy   of explanation ... and maybe a fun puzzle. As   scientists   and   practitioners   working   in   an   infant   science   like   information   security,   we   find   that   we   spend   a   lot   of time   looking   at   more   mature   science   for   models   and   techniques   that   we   can   use   to   “see   further,   by   standing   on   the shoulders   of   giants”   to   both   paraphrase   and   mangle   Sir   Isaac   Newton.   We   find   ourselves   reading   textbooks   and   taking classes in statistics, numerical analysis, natural language processing and epidemiology, among other things. When   presented   with   the   problem   of   modeling   an   approach   to   the   very   real   problem   of   applying   a   mix   of   signature, anomaly,   behavioral   and   reputation   methods   to   the   vast   amounts   of   data   available   from   modern   networks   and systems   –   our   team   kept   finding   themselves   making   great   progress,   then   retracing   their   steps   to   accommodate   new information, new threats or just plain new thinking. Clearly,   a   state   of   continuous   re-design   is   not   a   sustainable   as   a   service   supporting   regional   critical   infrastructure   in the   face   of   constantly   evolving   threat   and   stream   of   successful   attacks.   We   needed   to   find   a   giant’s   shoulder,   and   we found one in logic puzzles. There’s   a   classic   set   of   logic   puzzles,   called   “Knights   and   Knaves”   which   revolve   around   the   central   concept   that   you have   two   resources   which   you   can   question;   Knights,   which   can   tell   only   truth   and   Knaves,   which   can   tell   only   lies.   The important   fact   about   this   category   of   puzzles   is   that   the   solutions   do   not   come   the   form   of   an   answer,   but   a   question. (Like Jeopardy, only with more symbolic math.) As a brief example, consider the following puzzle: You   are   hiking   in   the   Scottish   Highlands   and   come   to   a   fork   in   the   path   with   a   sign   explaining   that   one   path   leads shortly   to   beer   and   a   nice   place   to   rest,   while   the   other   path   is   beset   by   mimes   offering   pretend   cheese.   Beside   the road   are   two   experienced   travelers   which   know   which   path   is   which   –   but   all   you   know   is   that   one   is   a   Knight   and   one is   a   Knave.   You   only   have   time   for   one   question   and   you   can   ask   either   of   the   travelers.   What   question   do   you   ask? (Note: One possible answer is at the bottom of this blog entry**) Lots   of   us   on   the   team   have   experience   with   these   kinds   of   problems,   so   re-thinking   our   analysis   approach   as   an exercise   in   knowing   what   questions   to   ask   seemed   like   it   could   produce   interesting   results.   In   fact,   this   led   us   down the   path,   which   defines   our   approach   and   product.   Put   simply:   We   don’t   know   all   of   the   questions   we   need   to   ask,   and will never know them until it’s way too late to redesign our product to answer the new questions. So,    we    take    a    data    science    approach    to    assimilating,    indexing,    enhancing    and    analyzing    information    –    with    the architectural goal of answering three categories of questions: 1 . Questions we already know how to ask (not very hard). 2 . Questions we don’t know about yet, but answers to which exist in the data (harder, data science required). 3 . Questions   we   don’t   know   about   yet,   which   the   data   itself   will   expose   (much   harder,   machine   learning   pixie   dust required). Once   we   started   looking   at   the   problem   this   way,   many   aspects   of   our   the   design   fell   into   place   (11.2   dry   erase markers   later.)   Modern   approaches   to   remote   data   collection,   queuing,   indexing   and   archive   make   it   possible   to   ingest truly   amazing   quantities   of   data,   structuring   it   ad-hoc   as   needed.   And   the   best   part?   We   can   ask   questions   of   the   data that   we   had   no   idea   we’d   need   until   an   analyst   saw   something   odd,   squinted   at   it   for   a   couple   of   seconds   and   then asked a new question.
Knights and Knaves, and CRITICAL INSIGHT   8/01/2015 By Mike Simon CISSP CTO
Threat Intelligence Blog CRITICAL INFORMATICS INC.
For   example,   we’ve   known   for   quite   a   while   that   lateral   traffic   (workstation   to   workstation)   is   somewhat   odd,   and   that certain   patterns   can   indicate   that   something   is   amiss   (typically   malware)   and   needs   to   be   investigated.   Wait,   though   are   there   precipitating   events   in   web   logs/packet   capture   data/IDS   signatures   that   we   should   be   looking   for   in   order to   identify   this   malware   before   it   happens?   Maybe   it’s   happened   elsewhere,   so   far   undetected   and   we   can   ID   some systems to take a closer look at. This   is   the   essence   of   Critical   Insight   version   1.5.   We   combine   our   extensive   experience   as   analysts,   data   scientists   and security   experts   to   reducing   the   mountain   of   data   produced   by   any   operational   network   into   confirmed   incidents, which   we   communicate   to   the   affected   parties   as   an   Incident   Action   Plan   (plugged   into   YOUR   incident   management process.) Our experienced analysts receive automated alerts based on known patterns. Our   analytics   engine   provides   live   analysts   with   an   unprecedented   view   of   potential   indicators   of   compromise, with the ability to pivot, restructure and generally find the needle in the needle stack. We provide reports at a reduction scale of 100,000:1 of real events that require your attention. We   are   very   excited   about   this   new   release.   We’ve   engineered   a   new   on-premise   Critical   Insight   Collector   (CIC)   to accept   all   of   the   sources   of   information   your   network   produces.   We’ve   completely   restructured   connectivity   from your on-site CIC to our Security Operations Center for greater resilience and zero perimeter impact.   We’re   asking   questions   we   didn’t   know   to   ask   yesterday,   and   getting   useful   answers.   We’re   tracking   the Knaves like never before. **   One   question   that   will   work   for   this   puzzle   is   “What   would   the   other   traveler   say   is   the   mime   infested   path?”   The Knave   will   lie   about   what   he   knows   the   Knight   will   say   –   providing   the   mime   path.   The   Knight   will   answer   truthfully what lie he expects that we Knaves would tell, providing the mime path as well. Take the other path. Mike Simon is the Chief Technology Officer at Michael K. Hamilton & Associates.
(206) 687-9100
© Critical Informatics Inc. 2016 All Rights Reserved

News

Critical Informatics IT Security

Daily News Blast

Sign   up   for   a   truly   essential   Daily   Briefing   on   all the      Industry,      National      and      International Cybersecurity   and   Information   Security   events you need to know and be able to act on today!

Search the Blast Archive

Search by Date, Range, or Keyword September 2015 August 2015 June 2015 May 2015 April 2015 March 2015 February 2015 December 2014 October 2014 September 2014 August 2014 July 2014 May 2014 April 2014 February 2014 December 2013 November 2013 August 2013 July 2013 June 2013

Threat

Intelligence Blog

The   Been   There,   Bled   There    Blog   that   covers, well,   just   about   anything   that   we   feel   you   can gain   critical   insight   from.      We   wear   our   battle scars    with    pride    and    are    grizzled    enough    to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
(206) 687-9100