Knights and Knaves, and CRITICAL INSIGHT

Critical Insight. It’s what we provide, and the name of our next generation product, just released July 31.

The  name,  the  product,  the  new  capabilities  and  a  new  perspective  on  how  to  achieve  all  of  it  seemed  worthy  of explanation … and maybe a fun puzzle.

As  scientists  and  practitioners  working  in  an  infant  science  like  information  security,  we  find  that  we  spend  a  lot  of time  looking  at  more  mature  science  for  models  and  techniques  that  we  can  use  to  “see  further,  by  standing  on  the shoulders  of  giants”  to  both  paraphrase  and  mangle  Sir  Isaac  Newton.  We  find  ourselves  reading  textbooks  and  taking classes in statistics, numerical analysis, natural language processing and epidemiology, among other things.

When  presented  with  the  problem  of  modeling  an  approach  to  the  very  real  problem  of  applying  a  mix  of  signature, anomaly,  behavioral  and  reputation  methods  to  the  vast  amounts  of  data  available  from  modern  networks  and systems  –  our  team  kept  finding  themselves  making  great  progress,  then  retracing  their  steps  to  accommodate  new information, new threats or just plain new thinking.

Clearly,  a  state  of  continuous  re-design  is  not  a  sustainable  as  a  service  supporting  regional  critical  infrastructure  in the  face  of  constantly  evolving  threat  and  stream  of  successful  attacks.  We  needed  to  find  a  giant’s  shoulder,  and  we found one in logic puzzles.

There’s  a  classic  set  of  logic  puzzles,  called  “Knights  and  Knaves”  which  revolve  around  the  central  concept  that  you have  two  resources  which  you  can  question;  Knights,  which  can  tell  only  truth  and  Knaves,  which  can  tell  only  lies.  The important  fact  about  this  category  of  puzzles  is  that  the  solutions  do  not  come  the  form  of  an  answer,  but  a  question. (Like Jeopardy, only with more symbolic math.) As a brief example, consider the following puzzle:

You  are  hiking  in  the  Scottish  Highlands  and  come  to  a  fork  in  the  path  with  a  sign  explaining  that  one  path  leads shortly  to  beer  and  a  nice  place  to  rest,  while  the  other  path  is  beset  by  mimes  offering  pretend  cheese.  Beside  the road  are  two  experienced  travelers  which  know  which  path  is  which  –  but  all  you  know  is  that  one  is  a  Knight  and  one is  a  Knave.  You  only  have  time  for  one  question  and  you  can  ask  either  of  the  travelers.  What  question  do  you  ask? (Note: One possible answer is at the bottom of this blog entry**

)Lots  of  us  on  the  team  have  experience  with  these  kinds  of  problems,  so  re-thinking  our  analysis  approach  as  an exercise  in  knowing  what  questions  to  ask  seemed  like  it  could  produce  interesting  results.  In  fact,  this  led  us  down the  path,  which  defines  our  approach  and  product.  Put  simply:  We  don’t  know  all  of  the  questions  we  need  to  ask,  and will never know them until it’s way too late to redesign our product to answer the new questions. So,   we   take   a   data   science   approach   to   assimilating,   indexing,   enhancing   and   analyzing   information   –   with   the architectural goal of answering three categories of questions:

  1. Questions we already know how to ask (not very hard).
  2. Questions we don’t know about yet, but answers to which exist in the data (harder, data science required).
  3. Questions  we  don’t  know  about  yet,  which  the  data  itself  will  expose  (much  harder,  machine  learning  pixie  dust required).

Once  we  started  looking  at  the  problem  this  way,  many  aspects  of  our  the  design  fell  into  place  (11.2  dry  erase markers  later.)  Modern  approaches  to  remote  data  collection,  queuing,  indexing  and  archive  make  it  possible  to  ingest truly  amazing  quantities  of  data,  structuring  it  ad-hoc  as  needed.  And  the  best  part?  We  can  ask  questions  of  the  data that  we  had  no  idea  we’d  need  until  an  analyst  saw  something  odd,  squinted  at  it  for  a  couple  of  seconds  and  then asked a new question.

For  example,  we’ve  known  for  quite  a  while  that  lateral  traffic  (workstation  to  workstation)  is  somewhat  odd,  and  that certain  patterns  can  indicate  that  something  is  amiss  (typically  malware)  and  needs  to  be  investigated.  Wait,  though  are  there  precipitating  events  in  web  logs/packet  capture  data/IDS  signatures  that  we  should  be  looking  for  in  order to  identify  this  malware  before  it  happens?  Maybe  it’s  happened  elsewhere,  so  far  undetected  and  we  can  ID  some systems to take a closer look at.

This  is  the  essence  of  Critical  Insight  version  1.5.  We  combine  our  extensive  experience  as  analysts,  data  scientists  and security  experts  to  reducing  the  mountain  of  data  produced  by  any  operational  network  into  confirmed  incidents, which  we  communicate  to  the  affected  parties  as  an  Incident  Action  Plan  (plugged  into  YOUR  incident  management process.)

  • Our experienced analysts receive automated alerts based on known patterns.
  • Our  analytics  engine  provides  live  analysts  with  an  unprecedented  view  of  potential  indicators  of  compromise, with the ability to pivot, restructure and generally find the needle in the needle stack.
  • We provide reports at a reduction scale of 100,000:1 of real events that require your attention.

We  are  very  excited  about  this  new  release.  We’ve  engineered  a  new  on-premise  Critical  Insight  Collector  (CIC)  to accept  all  of  the  sources  of  information  your  network  produces.  We’ve  completely  restructured  connectivity  from your on-site CIC to our Security Operations Center for greater resilience and zero perimeter impact.  We’re  asking  questions  we  didn’t  know  to  ask  yesterday,  and  getting  useful  answers.  We’re  tracking  the Knaves like never before.

** One  question  that  will  work  for  this  puzzle  is  “What  would  the  other  traveler  say  is  the  mime  infested  path?”  The Knave  will  lie  about  what  he  knows  the  Knight  will  say  –  providing  the  mime  path.  The  Knight  will  answer  truthfully what lie he expects that we Knaves would tell, providing the mime path as well. Take the other path.