Menu
Detecting threats in the real world

Detecting threats in the real world

Security pros know there's no perfect defence against a determined attacker. So when an identity thief strikes, it's vital to detect the theft. But who's going to be the detective?

As applications migrate into the network cloud, the presumption is that IT administrators will be the detectives, vigilantly looking for clues that might spell trouble. But such vigilance will never suffice, because nobody can care as much about my own interests as me, or as much about yours as you.

When I set up my first corporate connection to the Internet, for example, I had a naive fantasy about managed network services. I imagined a bank of screens glowing in a dimly lit network operations centre, earnest young technicians studying them alertly, and then ... What was that? An alarm sounds, a cluster of red dots erupts on one of the screens, the technicians huddle, my phone rings.

"Mr Udell, there's been a routing glitch that affects your subnet. We're aware of the problem and we're working on it. You'll hear back from us as soon as it's fixed."

Yeah, right. What actually always happens is that I notice when a server's gone unreachable, and I contact the ISP. At first nobody there sees a problem. So I triangulate on the errant router, pass along the trace routes that pinpoint the problem, and finally someone agrees to fix it.

This protocol is annoying but not really surprising. Self-interest trumps all other incentives. I care more about my server's connectivity than the folks in the NOC ever can or will. I'll keep a watchful eye, and I'll do what I can to stay on top of things.

Back in my pager-wearing days I scattered a handful of probes around the Internet, and instructed them to ping my boxes and alert me if they couldn't. That worked because basic connectivity is easy to observe. But the activity of my various online personae typically isn't easy to observe - at least not by me, and not in ways that would alert me to, for instance, unusual activity on an account.

Desktop and server operating systems know, and can report, when you've logged in and what you've been doing. True, a savvy impersonator can erase their footsteps, but if you're motivated to look, there's a decent chance you can detect an intrusion.

Applications and services delivered through the Web usually don't afford the same opportunity. If a failed password-guessing attack triggers a temporary lockdown of my online bank account, I have some hope that I'll be promptly notified - though I'm not about to try the experiment in order to find out. But what if shoulder-surfing or a lucky guess yields up my credentials to an evildoer? Typically there's no way for me to monitor the account for amounts, times, or IP addresses that only I would recognise as suspicious.

They should at least show me the last log-in time. A more complete view of all account activity would be ideal. Flooding me with log dumps won't help. The information has to be represented in a way that makes it easy to tell, at a glance, when something's not right.

That's easier said than done, but there's hope. Like all animals, we humans are wired to memorise visual and auditory patterns and notice deviations from them. If software can tap into those innate capabilities, it can help us watch out for ourselves.


Follow Us

Join the newsletter!

Error: Please check your email address.
Show Comments