Monty Python and The Holy Grail made Ben Hur look like an epic, set cinema back 900 years, and is one of the richest sources of quotes for pub conversations. Yet the film is also rich in security management concepts, and scenarios from which any ITSec team can learn. Let's take a closer look at some of these situations, and how the lessons can help corporate IT teams to address common security issues and smooth security management.
Build on secure foundations
Prince Herbert's father is proudly showing his son the kingdom he will inherit. He tells the Prince: 'All I had when I started was swamp... other kings said I was daft, but I built my castle all the same, just to show 'em. It sank into the swamp. So I built another one... that sank into the swamp. I built another one... that burnt down, fell over and sank into the swamp. So I built another, and that stayed up...'
The lesson here is to build the security fortress on solid foundations, using established security frameworks such as COBIT, COSO, ITIL®, BS7799 / ISO17799 or the newer ISO27001. These help you implement robust IT and security management processes and determine your control indicators, which helps with ongoing security and governance procedures. So your security processes won't sink into the mud at the first challenge.
Event filtering - living to tell the tale
The knights who say 'Ni' were feared for the manner in which they uttered this sacred word. In fact, those that heard the knights' mass chorus of 'Ni' seldom lived to tell the tale.
It's the same with monitoring security events across networks - those that try to do it without first filtering out the event noise will be lucky to survive. With thousands of events from multiple systems being reported every second, staff can't hope to cope without tools to help them.
This is where security information and event management (SIEM) comes in. It filters, aggregates and correlates the security data and log traffic generated by multiple systems, reducing the number of visible alerts by a factor of 1,000 or more - giving IT staff a far less cluttered view of what's happening.
All data and event logs are aggregated and correlated by the SIEM solution, ensuring that staff aren't overwhelmed by the sheer volume of events, and letting them focus on events that really matter. Yet at the same time, the solution stores the raw data logs for analysis, if required - which we'll touch on later.
Chasing false positives
Sir Lancelot the Brave, the most violent and unstable of the Knights of the Round Table, receives a note reading: 'I have been imprisoned by my father who wishes me to marry against my will. Please, please, please come and rescue me. I am in the tall tower of Swamp Castle.'
Fired with zeal to rescue what he believes is a damsel in distress, he storms the castle single-handed, slashing and hacking at guards and guests alike. On reaching the tall tower, he finds the author of the note: Prince Herbert. Lancelot is crushed, and curses his overeagerness to respond.
Such false positive alerts from security systems such as IDS / IPS systems are the bugbear of security teams, and cutting these to a minimum is another key SIEM system function. There are a number of ways to cut false positives, including tuning of IDS / IPS, keeping up-to-date configurations, event correlation and more. This should be considered a vital step in gaining control and better managing security systems.
Correlating ducks and witches
Bedevere is faced with the problem of how to decide if a woman being harassed by villagers really is a witch. He wisely points out that witches burn because they are made of wood, and that both wood and ducks float on water. So Bedevere asks the villagers to take the girl to a set of large scales to see if she weighs the same as a duck - which in turn means that she is made of wood (are you still with me?), and is therefore a witch.
This is a prime example of the difficulty of security event correlation in real time, when performed by humans. Just because events seem related, doesn't actually mean that they are. An event that is seemingly innocuous when viewed in isolation, may signal an attempted breach when correlated with other peripheral security information.
As an example, if a mission-critical server is targeted by an attack to which it's vulnerable, immediate action is needed. But if the server is already patched against the vulnerability that the attack exploits, this can be correlated and the IT team given a low-level alert, as the risk to the business asset is lower.
Black beasts and raw logs
The knights are reading the carvings written by Joseph of Arimathea which tell the location of the Holy Grail. The carvings say that the Grail is located in the 'Castle of aaaarrrrrrggghhh'. As they try to figure out what the Castle of aaaarrrrrrggghhh is, the Black Beast sneaks up on them from behind.
The carvings are a prime example of a badly-correlated security alert that is no longer supported by the raw log data of the original event. Without access to the original raw logs, Arthur and the knights cannot see what happened, and so are unprepared for the Black Beast's attack.
In the same way, if IT teams have access to the logs from earlier security events, they can review and replay those logs to better understand the actual events. This gives greater insight than trying to extrapolate backward from refined alerts on events. Storage and archiving of raw logs and events underpins an effective SIEM deployment.
Denying all: none shall pass
Impressed by the Black Knight's fighting skills in defeating the Green Knight, Arthur invites him to join the Round Table. The Black Knight does not respond. Arthur regrets this and makes to continue his journey over the bridge guarded by the Black Knight, which the knight prevents, saying 'None shall pass.' This leads to a bloody fight in which Arthur has to hack off each of the Black Knight's limbs, in order to cross the bridge.
The failure of the Black Knight's 'deny all' approach highlights just how difficult it is to enforce this approach - largely because you cannot know what all your users want to do, all of the time. However, allowing users and applications to perform only specified tasks across networks and servers and denying anything else, greatly simplifies security product configuration, gives you fewer events and stronger security overall.
This is where real-time policy management - ideally from the same console as the SIEM system - comes into its own, enabling IT teams to make network and user policy changes quickly, in reaction to emerging situations and user demands.
So there you have it - six key steps on the quest for the Holy Grail of IT security. With these, you're sure to have more success than King Arthur and his knights.
