Ken Hines, Protecting key network-based assets and processes

Daily, across the enterprise network, thousands of suspicious events are detected, bombarding the security analyst with individual and unrelated data points that must be manually interpreted in order to effectively assess potential threats. The vast majority of these events will prove to be innocuous due to the dynamic nature of enterprise networks. As a result, it is difficult and time-consuming to separate real threats from harmless anomalies. IT security teams waste precious time chasing false-positives.  More importantly, enterprises face increased exposure to false-negatives, where damaging breaches go undetected by becoming lost in the background noise of normal network activity.

Attacks against enterprises are shifting from notoriety focused to more criminal in nature. Such criminal attacks are sophisticated, subtle, and targeted. External hackers and malicious insiders are willing to invest more and more energy and patience to achieve their goals. They understand network security technologies deployed on enterprise networks and craft their attacks to avoid detection. By becoming a needle in the haystack of network and security event data, they are better able to proceed undetected. This trend is a serious issue for enterprises to address, as traditional security technologies are ill prepared to expose subtle, slow attacks and zero-day threats not yet discovered by the security community.

Causality analysis technology addresses these issues by uncovering and tracking relationships between suspicious and often seemingly unrelated events. Unlike detection solutions that focus upon individual events, causality-based Security Analytics shifts the analyst’s focus to chains of behavior by automatically “connecting-the-dots” from one suspicious event to the next. Visually presenting chains of suspicious activity provides a completely new level of knowledge enabling security teams to assess threats accurately and quickly. 

Name: Ken Hines
Title: Chief Technology Officer (CTO)
Likes to be called: Ken
Company: GraniteEdge Networks

The Concept of Causality Analysis

Fundamentally, causality analysis determines if two or more events are related. By determining the existence of relationships and the relative significance of events, the focus shifts from individual events to behavior. The power of causality analysis within network security stems from the ability to answer the fundamental question: “Are these identified odd network behaviors related to each other?” By answering this question continuously as each odd behavior is identified, a causal chain (a connected series of related and suspicious activity) emerges and can be tracked in real-time. With this knowledge, the security team is able to accurately and quickly assess and respond to risky behaviors.

Identifying relationships: Causality analysis identifies causal relationships by observing all network communication flows as they occur between networked devices (desktops, servers, switches, firewalls, etc). Every communication flow is comprised of at least two distinct events, a send event and a receive event. Over the course of a typical day, millions of events will occur and causality analysis keeps track of them all. Any two events are deemed causally related if a communication path occurs between them either directly or indirectly. If no such communication exists, then the events are deemed causally independent. 

In order to accurately identify such causal relationships all levels of relationships must be tracked to determine which events are in fact causally related. The result of continually tracking and identifying causal relationships among all events is a causal map, which must be capable of providing rapid answers to causality queries, irrespective of the number of causal links that may be involved. This requires complex and intensive processing to track all communications and generates a tremendous amount of data. As a result, causality-based Security Analytics solutions will include powerful processing capabilities and terabytes of storage capacity.

Focusing on Behaviors of Interest: Security analysts need the ability to hone in on suspicious behaviors in order to assess their significance. Accordingly, specific behaviors of interest must be distinguishable from normal network activity. This is a multi-step process that begins by identifying unusual events. Because all communication flows are tracked and mapped in terms of causal relationships, a baseline of normal network activity is established.

Each time a new event occurs causal relationships are identified and the overall causal map continues to build. Events that fall outside the established baseline of normal behavior are flagged as unusual. Then, the question is asked “Are these identified odd behaviors related to other odd behaviors?” If yes, then a causal link is established and the process continues.

Though suspicious events are sometimes related through a single communication link, it is more often the case that there will be many seemingly normal events between these suspicious events. In fact, in a normal network environment, less than one event per every ten thousand will be considered odd or anomalous. This means that in order to determine whether two suspicious events are causally related, it is necessary to consider the causal relationships among at least ten thousand normal events. In many cases it is necessary to consider causality through many more orders of magnitude.

The question of intent: In order to effectively defend against threats, the security team must be able to quickly distinguish between true threats versus unusual but benign activity. Because networks are dynamic, many unusual events will occur daily. Large networks can trigger several thousand IDS alerts daily. Practically, assessing each and every unusual network event individually is practically impossible.

In order to be effective, the focus must shift from event by event evaluation to assessing the entire suspicious behavior. By working with causal chains of suspicious behavior instead of individual events, the visualization and understanding of unusual activities is greatly enhanced allowing the security team to quickly and accurately determine the significance of a potential threat.
Causality Analysis versus Correlation

On the surface causality may appear to be similar to correlation. They are in fact very different concepts. Whereas causality analysis is based upon observing event relationships as they unfold, correlation is based upon trend analysis. Because of this, causality analysis is more accurate and provides significantly greater insight into behaviors.

Correlation techniques identify relationships between two entities or events based upon a common trait shared between them displayed over a period time. There may be a direct relationship, indirect or no relationship as correlation is based upon statistical probabilities. Even if there is a true relationship, it may be the case that both events were caused by an unrecognized third event. Correlation techniques provide no insight into the nature of the relationship, only that it exists. Within network security, correlation is useful in monitoring the overall health of the network and providing general indications of suspicious behavior by looking for patterns in log data. Unfortunately, event logs do not preserve relevant communication behaviors so there is only a loose association between data contained in various logs. When insight into the actual details of suspicious behavior is needed a different paradigm is necessary.

Causality analysis goes beyond identifying if relationships exist by providing a detailed view into the nature and extent of relationships between entities. As discussed earlier, causality analysis tracks relationships between events as they develop, exposing the natural order and precedence in which events occur thus identifying causal relationships. Causality analysis is capable of mapping specific threads through complex environments comprised of thousands of inter-related events. Accordingly, causality analysis provides deep insight into the nature of behaviors, which is essential for rapid threat response when exposing and tracking network threats.

Through applying both causality analysis and correlation to a common-seen example, the differences between these approaches can be better appreciated. The example assesses the impact of severe weather on commercial air transit system.
A typical day within the commercial air transit system includes thousands of individual flights between hundreds of locations, just in the United States alone. A single airplane will often service several routes a day and delays of one aircraft may impact the schedules of other aircrafts. There are thousands of inter-dependencies within the system every day.

Imagine you are responsible for managing the daily flight schedule for a major airline. In order to minimize customer disruption, you need to assess the impact of a large winter storm on flights in real-time throughout the system as the situation unfolds. In this scenario, a severe snowstorm passing through Illinois has delayed several flights at the Chicago airport. The impact extends system-wide as flights elsewhere in the country are counting on aircrafts routing through Chicago. What can correlation techniques and causality analysis provide in terms of helping understand and manage the crisis?

As the above example demonstrates, causality analysis and correlation are distinct concepts, providing different perspectives. Correlation provides macro-level information compared to causality analysis. Trend data though valuable for planning and preparedness lacks the granularity necessary to actively mitigate issues. Because causality analysis provides rich insight into the nature of relationships, it is superior for analyzing complex environments that must be managed in real-time. In the next section, the application of causality analysis within network security is explored in greater detail.

The Application of Causality Analysis to Network Security

As discussed above, causality analysis is very useful when assessing complex indirect relationships involving many entities, where human analysis would be extremely difficult and time-consuming. This is especially the case within a large corporate network where millions of events occur every day and the network itself is constantly evolving.   
To illustrate how causality analysis functions within network security, consider the following example:
Six computers comprise a small subnet of a ten-thousand-node network. The security team is actively monitoring the entire network using the latest firewall, intrusion detection (IDS) and security information management (SIM) technology. A suspicious event occurs on Computer A, and the next day another suspicious event occurs on Computer E. Both incidents are seen by the implemented detection solutions but appear isolated and unrelated. Furthermore, they are indistinguishable from the thousands of other unusual events detected by these technologies daily. As a result they are subsequently ignored. 

Unfortunately, this is a zero-day worm just beginning to proliferate. This worm was brought into the network unknowingly by an outside IT consultant who connected into the network using an infected laptop (Computer A). He was authorized to be on the network and because there is no signature for a zero-day worm, network access control mechanisms allow the laptop on the network.

Figure below shows a causal chain of these six networked computers and the various communication events between computers occurring over time. Communication paths (and thus causal links) are indicated by black arrows. Events a1 and e1 are identified suspicious events.

Let’s follow the sequence of events and apply causality analysis to this scenario.

From the information provided by causality analysis the security team was able to conclude the following information:

• Suspicious events a1 and e1 are causally related.

• The Computers A, B, D and E are infected by the worm

• Computers C and F are worm-free thus far

• Computer A is the source of the worm (Patient Zero)

• The worm has not yet progressed beyond Computer E

Causality analysis provided the team unique insights they would not have gained using traditional security solutions. Without causal-based Security Analytics implemented, the worm would likely progress undetected falling under the radar of existing threshold and signature based detection products. The worm would continue to proliferate to many machines before a threshold would be triggered that would alert an analyst to this threat. Once the analyst was aware of the suspicious behavior, it would be a time-consuming and difficult undertaking to manually trace the worm down, identify all impacted resources and locate patient zero. During this time the worm would continue to propagate and cause further harm.

Causality analysis is powerful technology that provides security teams critical insights into suspicious activities as they unfold. With causality analysis, security teams are able to effectively distinguish real threats from benign network traffic, mitigate attacks in progress, pinpoint impacted resources, and track a suspicious chain of behavior all the way back to patient zero, the internal initiator of the breach.

Causality Analysis technology is driving new capabilities for IT teams in maintaining secure networks. Causality analysis technology provides the following unique benefits to our customers in financial services, energy and utilities, government and e-commerce: 

Minimize False Negatives and Reduce False Positives: Traditional solutions rely on signature and threshold patterns to detect new attacks. These solutions are prone to raising false positives and more damaging false negatives because new threats often do not mimic previously identified threats. Causality analysis avoids these problems by assessing the entire chain of suspicious behavior versus focusing upon single events.

Shrink Exposure Window: Because attacks may cause significant damage very quickly, IT teams need the ability to monitor, assess and respond to threats in real-time. Causality analysis is the only technology that will literally map the progression of suspicious behaviors as they unfold.
Uncover Previously Undetected Threats: Some attacks have telltale signs they are in progress by consuming large quantities of bandwidth or initiating massive host scans. Traditional tools are focused upon detecting such attacks. However, many other significant threats are much more subtle, falling under the threshold or outside the expected signature. Zero-day worms and insider abuse are two good examples. With causality analysis, the ability to correctly identifying a threat is independent of the number of events taking place within the attack. A targeted insider attack would be identified to the same effectiveness as a large DDoS (Distributed Denial of Service) attack.

Pinpoint Impacted Resources: Through causal chains, all resources (workstations, servers, network devices) impacted by an attack are identified. This allows IT teams to remediate these resources quickly without guessing which resources may have been affected by a security breach.

Expose Patient Zero: Causality analysis maps suspicious behavior from the original source in the network through it’s current position. As a result, the initiation point of the attack within the network is quickly identified and patient zero is exposed. Causality analysis allows the security analyst to pinpoint compromised devices and regain control quickly regardless if the attack originated internal or external to the enterprise. Patient zero information also facilitates forensic investigations.

Track Policy Violations: Unlike detection solutions which merely indicate that a violation has occurred, causality analysis tracks all network behavior associated with the policy breach based upon pre-defined Layer 3 policies. This allows the security time to quickly determine the impact and damage caused by a policy violation.

Dr. Hines received his Ph.D. in Computer Science from the University of Washington where he began developing the causality analysis methodology that is at the core of the GraniteEdge products. Dr. Hines was a co-founder and chief scientist of Consystant Design Technologies where he developed and incorporated new technologies into Consystant's products. He also managed the engineering team, a small research group and created and nurtured Consystant's patent portfolio of 12 patent applications.

In his spare time, Dr. Hines enjoys spending time with his family.

GraniteEdge Networks
10900 NE 8th Street, #450
Bellevue, WA 98004 USA
Tel: 1-425-452-1334

Recommend this to others: