Sign up to save your podcasts
Or
Share Ken Hines: Using Causal Analysis to Establish Meaningful Connections between Anomalous Behaviors in a Networking Environment
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Ken Hines: Using Causal Analysis to Establish Meaningful Connections between Anomalous Behaviors in a Networking Environment
Fueled by business needs such as supply chain integration and outsourcing, modern enterprises must open up portions of their networks to potentially untrusted outsiders. Combined with the troubling aspects of malicious insiders, ever more sophisticated attacks, increasing network complexity, and strong pressure from regulatory bodies to rapidly identify breaches and assess damages, there is a rapidly growing concern over internal network security. IT departments must work harder than ever to prevent insiders and outsiders from gaining unauthorized access to critical assets deep in the network, and if such access ever occurs, identify and report on, the impact of such a security breach.
In order to gain real insight into the dynamic behavior of their networks, IT departments must monitor huge quantities of data, where individual elements of a sophisticated attack may be spread out over long periods of time, and vast numbers of logs. Many tools are available to identify individual phases of an attack, such as IDSs, network based anomaly detection tools, host based monitoring tools, and even firewalls. However, this data is presented to the security analyst as a series of unrelated suspicious events. Because of the complexity of modern networks there are always isolated and seemingly suspicious things occurring on the network. To find a sophisticated breach the individual pieces of an attack need to be tied together for successful analysis.
This presentation demonstrates the value of causal analysis using a simple example that involves social networks rather than computer networks, how this example is really a metaphor for a very common form of computer network attack, and how causal analysis is equally appropriate in finding this sort of attack in enterprise networks. It then presents some of the factors that compound the difficulty of this analysis in real networks, and describes approaches that simplify this complexity. Using the techniques described, two real "stepping stone" attacks are outlined and diagrammed to illustrate the power of causal analysis. Finally, it demonstrates how this analysis can be combined with other forms of security analytic and mitigation techniques to provide a formidable barrier against network attacks.
Ken Hines earned his Ph.D. in computer science at the University of Washington in 2000, by successfully defending his dissertation, which applied causal analysis to debugging heterogeneous distributed embedded systems. Since then, he has founded two venture funded companies, and actively developed commercial products that apply causal analysis to solving complex problems related to distributed embedded systems, network processor based network infrastructure, and finally networks as a whole.
While a graduate student, Ken was one of the primary researchers on the Chinook Hardware/Software Co-synthesis project, and published a number of papers on distributed debugging, distributed hardware/software co-simulation, and co-synthesis for heterogeneous distributed embedded systems.
View all episodes
Fueled by business needs such as supply chain integration and outsourcing, modern enterprises must open up portions of their networks to potentially untrusted outsiders. Combined with the troubling aspects of malicious insiders, ever more sophisticated attacks, increasing network complexity, and strong pressure from regulatory bodies to rapidly identify breaches and assess damages, there is a rapidly growing concern over internal network security. IT departments must work harder than ever to prevent insiders and outsiders from gaining unauthorized access to critical assets deep in the network, and if such access ever occurs, identify and report on, the impact of such a security breach.
In order to gain real insight into the dynamic behavior of their networks, IT departments must monitor huge quantities of data, where individual elements of a sophisticated attack may be spread out over long periods of time, and vast numbers of logs. Many tools are available to identify individual phases of an attack, such as IDSs, network based anomaly detection tools, host based monitoring tools, and even firewalls. However, this data is presented to the security analyst as a series of unrelated suspicious events. Because of the complexity of modern networks there are always isolated and seemingly suspicious things occurring on the network. To find a sophisticated breach the individual pieces of an attack need to be tied together for successful analysis.
This presentation demonstrates the value of causal analysis using a simple example that involves social networks rather than computer networks, how this example is really a metaphor for a very common form of computer network attack, and how causal analysis is equally appropriate in finding this sort of attack in enterprise networks. It then presents some of the factors that compound the difficulty of this analysis in real networks, and describes approaches that simplify this complexity. Using the techniques described, two real "stepping stone" attacks are outlined and diagrammed to illustrate the power of causal analysis. Finally, it demonstrates how this analysis can be combined with other forms of security analytic and mitigation techniques to provide a formidable barrier against network attacks.
Ken Hines earned his Ph.D. in computer science at the University of Washington in 2000, by successfully defending his dissertation, which applied causal analysis to debugging heterogeneous distributed embedded systems. Since then, he has founded two venture funded companies, and actively developed commercial products that apply causal analysis to solving complex problems related to distributed embedded systems, network processor based network infrastructure, and finally networks as a whole.
While a graduate student, Ken was one of the primary researchers on the Chinook Hardware/Software Co-synthesis project, and published a number of papers on distributed debugging, distributed hardware/software co-simulation, and co-synthesis for heterogeneous distributed embedded systems.