English language dictionaries define
the word “Analysis” as “Separation of individual components
from whole” (Antonym of Analysis is Synthesis)
I am astonished to see how
Information Security Incident Analysts take this definition word for
word!
I have seen that even senior
information security professionals to expect and accept security
incident analysis as very vague, and insufficient.
The above said analysis had following
details,(this example is an incident triggered from a security device like IPS/IDS/firewall).
- Source IP Address
- Destination IP Address
- Destination Port Number
- Vendor Signature
Actually, for the preventive action to
be taken some more information should be provided to the
Security/Network/System admins. The information to be provided should
be as follows -
- Source IP Address
- Destination IP Address
- Source Port Number (enables you to detect if it is return traffic)
- Destination Port Number
- Vendor Signature and what it means
- Protocol type (TCP/UDP/ICMP)
- Application
SIEM
tools readily provide this information without much effort.
So what is the Security Analysts' job then?
Along with providing the above mentioned information, he should create a "conclusion".
Well, here is an example of how we use misnomers in
our day-to-day life. Security Analyst will have to actually “Synthesize”
this data to create a meaningful “Conclusion”.
This resultant conclusion will be the same
as original information but in human readable format and without payloads (keeping only meta-data, no more
raw now) so as to take proper action, e.g. block or just
create an alert for this type of incident to pass in future.
No comments:
Post a Comment