Thinking Security: So, What Happened?
This is the 32nd blog in a series about security and how security is about how you think.
One of the characteristics of an engineer is a natural curiosity about how things work. Security practitioners are the same way. They want to know what happened and how. Engineers need to understand exactly how something is constructed, while security-minded individuals need to understand the background or other events around a possible problem or incident. How in computer systems to we satisfy that need for information?
We do it through the logging capability (or audit subsystem) of the system. This assumes that the system is documenting and saving what has happened for use later (in what is called forensic analysis). Some systems can also send their information to special agents (called collectors) that can take events from several sources, integrate them, and do extensive analysis.
This raises interesting questions: Do all systems do this? Does my car do this? Maybe. There may be some data stored long-term in one of the many embedded systems that contains historical information about how the car ran or about any problems that happened. Does my smartphone do this? Maybe. Again, there may be information sent off your phone for diagnostic purposes or as part of normal operations.
The car and the smartphone may have storage issues, so that saving lots of information long term just is not feasible (unless you can hook a large disk array to either one). What about your fish tank (just Google “fish tank vulnerability”)? Definitely not. If my smartphone or car has storage issues, then I am sure that my fish tank has no storage capabilities for what happened, who logged in, or any other data to look at what has happened.
As we acquire more and more “smart” devices, we have to ask how each executes this process. Do they log any data at all? On the other hand, do they just assume that everything is always good?
So, with the ongoing rise of the Internet of Things (IoT), how will we know “what happened”? Some devices will not have much data to save – for example, a simple temperature sensor that could return the current temperature and the average over the last 24 hours. However, larger systems – such as automation equipment, intelligent devices, even fish tanks – will have data that will help us know their security and overall security posture.
Logging is where the ClearPath Forward® environments shine over other systems – commodity, appliances and so-called smart devices. They have logging (auditing) on at all times and keep track of everything that occurs on a system and do it as part of normal operations. In addition, they keep this information secure, so that it cannot be modified later on to hide any incidents. Also, many tools can analyze the information and send it to collectors as part of a SIEM (System Incident and Event Monitoring) network. This allows ClearPath MCP and OS 2200 clients to know what is happening in every part of their ClearPath system at all times. It really allows them to understand the “what happened” of their system.
Will the IoT be truly smart and participate in a logging subsystem so that we can uncover “what happened”? Time will tell if we can know whether our intelligent devices are truly smart or are doing dumb things. Then we can see if we can THINK security in the age of the IoT.