Endpoint SWAT: Protect the Endpoint Community

 View Only

Epidigitalogy: Digital Disease Control (Part V) 

Aug 25, 2014 09:44 AM

Epidigitalogy Survey Study Types
     In the field of epidemiology there are two study types that I think would be beneficial to the epidigitalogist. The first type of study is a retrospective cohort study. A retrospective cohort study looks to the past for comparison of a known group “cohort” against other groups to identify differences. If we have a known diseased group of machines, we can look back in time to see which other systems are also exhibiting the same attributes. A sample retrospective cohort study may show that a group of computers with their hard drives at 95% capacity tend to not retrieve their content in a timely manner thereby exposing them to more frequent vulnerable states. The second study is a prospective cohort study. A prospective cohort study looks to the present state of hosts, selects a “cohort” of interest and follows them forward in a controlled experiment. An example of a prospective cohort study would look at a group of systems (a “cohort”) that all share a specific attribute dissimilar to the rest of the systems and determines the frequency of disease compared to the group. Over time a pattern may emerge to either confirm or contradict a hypothesis. In today’s highly competitive landscape with just-in-time everything, anything that interrupts business or can potentially interrupt business tends to be avoided. Security is not immune from this avoidance behavior. So how does an information security professional convince management that installing security feature or process X will help (and not hinder) the organization’s uptime? A retrospective or prospective cohort study may be just the information needed to advocate a new control. Both these types of studies may help answer questions such as:


1. Does exposure to USB executables increase likelihood of infection?
2. How much risk is involved in allowing users to use USB?
3. How much benefit is gained in allowing users to use a specific feature? i.e. USB
4. How many hosts have been infected in the last X number of days?
5. What technology is triggering indicators and where are they located?
6. What sources are the triggers associated with? (USB, Registry, Process, File system, Network?)
7. What is the infection frequency of hosts over time?
8. Where are the most infections or events occurring? (Which subnet? Which logical group? Which OS?)
9. Which operating systems are exhibiting more events? (Known malicious or suspected malicious)
10. Which applications are triggering the most events? Is this indicative of a false positive, or some early indicator of digital disease onset?
11. When are the events occurring? (By OS, application, IP, port, logical grouping)
12. Who is triggering the most events over time? (By OS, application, IP, port, logical grouping)

      I am advocating this proactive constant graphing and statistical analysis of relationships between different variables in the organization as a means to increase probability of capturing endemic pathogens in the environment. These statistics-based tasks may be perceived as “boring work” since most of the excitement is in the incident response and breach investigation process, but prevention is worth more in terms of cost and loss avoidance. In today’s digital disease landscape we can no longer afford the cost and excitement of incident response, the path forward is in the effective implementation of the methodical statistical analysis and human correlation that will curtail breaches.

Diversified Skills are Beneficial to the Investigation
     It is important to point out that Dr. Snow did not focus on just one area of expertise. He was a pathologist, a clinician and an epidemiologist. He did the “boring work” to get at the crux of cholera. He leveraged information from geospatial data, clinical results, pathology and chemistry. By his example, information security professionals must also leverage different disciplines for ideas of how to combat a digital disease. By combining information from many different disciplines Snow was able to formulate his hypothesis. It is surprising to think that Dr. Snow was able to combat cholera without ever seeing it. The insight we can derive from Snow’s way of thinking is thus; the mode of communication and the actions of the disease pathogen are more important than knowing the disease pathogen’s structure when information and time is limited. When discussing digital disease pathogens, knowing the pathogen’s mode of communicability is more important than reverse engineering it to ascertain its exact structure. This is not to say that reverse engineering a digital disease pathogen is a worthless endeavor. To the contrary, it can add tremendous insight into how the pathogen behaves, but when the pathogen has not yet been captured, understanding its mode of communication may help in recommending a mitigating control which may quarantine or contain the pathogen long enough to minimize or prevent damage, while at the same time, affording the time to capture it for analysis.
Epidigitalogy surveys will not reveal the internal structures of a digital disease pathogen. It will, however, narrow the scope on commonalities and outliers which will help in installing or removing technical or procedural controls to reduce or eliminate a digital disease. As Dr. Snow’s survey showed, full understanding of a pathogen is unnecessary to make a change to an environment which helps the public. When time permits, it is prudent to revisit the pathogen and learn its inner workings. This is the function of malware reverse engineering specialists.
Culture and its importance to security
The causes of a digital disease may not be completely evident in the host data survey results. In order to comprehensively understand the health state of a digital environment, the social and cultural habits of the users need to be taken into account as well. What is the use of spending time and resources implementing a digital control, only to have the users circumvent it? In Snow’s time, the equivalent would have been the Broad Street residents putting their own temporary handle back on the Broad Street pump in order to obtain convenient water clandestinely in violation of the law. In order for information security professionals to get a comprehensive understanding of the environment, they must interact with the user community and understand their wants and needs. By understanding the wants and needs of the community, an information security professional can more easily hypothesize how users would react to policy changes or other mitigating controls. One activity information security professionals can perform to increase their knowledge of the users and also inform the users of their role in security would be to provide security workshops. If users are better informed on the information security methodology, reasons for implementation, and the consequences of not adhering to policy, everyone stands to benefit.
At the CDC it wouldn’t be out of the ordinary to hear someone ask, “Where is the handle to this Broad Street pump?” I hope the day comes when a non-technical executive asks an information security director, “How close are we to getting a handle on this digital disease?  If executive management can more easily understand what is being communicated to them and they are able to make better informed decisions based on better understanding, then we may very well enter an improved public health phase against digital diseases.

     If we do our part to continuously monitor and improve digital health, historians of tomorrow may look back at the 1990’s and early 21st century as a transitional phase to a healthier digital world. Will digital diseases disappear completely? The history of biological diseases tells us no, but with proper hygiene and community health survey methods, humanity’s days of major epidemics may become a very rare occurrence. By following the ideas of the epidemiology field, I believe we can obtain similar success and safety. If we do achieve a greater level of community health, humanity’s digital cities will flourish to greater heights.
I'd like to end by rephrasing a quote by Dr. John Snow, "You and I may not live to see the day, and our names may be forgotten when it comes; but the time will arrive when digital diseases will be things of the past; and it is the knowledge of the way in which the disease is propagated which will cause them to disappear."

 

Thank you for reading this blog. If we work together and share our analytical procedures and scripts we can all stand a better chance of detecting digital diseases before they seriously impact public health. Feel free to reach out to me via the discussion forum feature in this blog.  

 

Previous Post  Leveraging Waiting Room Time

Next Post Samples and References

 

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.