Sathya Chandran Sundaramurthy

An Anthropological Approach to Studying CSIRTs

The ethnographic method of participant observation can help researchers better understand the challenges computer security incident response teams face by illuminating underlying assumptions and tacit practices that shape how tools are actually used in different contexts.

Examining intrusion prevention system events from worldwide networks

We report preliminary results on analyzing a large dataset of over 35 billion alerts recorded over a 5 year period by Hewlett-Packard (HP) TippingPoint Intrusion Prevention System (IPS) devices located in over 1,000 customer networks worldwide. This dataset provides a rich view into the nature of attacks, both external and internal, across diverse networks. This paper presents our initial findings. For example, (i) while most customers are among the early victims of only a handful of attacks, a few customers are early victims of a large number of attacks, (ii) vendor vulnerability disclosures sometimes lead to a surge in exploit attempts, and (iii) even after a decade, some worms such as Slammer show very significant spikes in their activity and infection rates.

MTD CBITS: Moving Target Defense for Cloud-Based IT Systems

The static nature of current IT systems gives attackers the extremely valuable advantage of time, as adversaries can take their time and plan attacks at their leisure. Although cloud infrastructures have increased the automation options for managing IT systems, the introduction of Moving Target Defense (MTD) techniques at the entire IT system level is still very challenging. The core idea of MTD is to make a system change proactively as a means to eliminating the asymmetric advantage the attacker has on time. However, due to the number and complexity of dependencies between IT system components, it is not trivial to introduce proactive changes without breaking the system or severely impacting its performance.

A Tale of Three Security Operation Centers

Security researchers have been trying to understand functioning of a security operation center (SOC) and how security analysts perform their job. This effort is motivated by the fact that security monitoring and analysis is not just a technical problem. Researchers must take into consideration the human and organizational factors for their research ideas to succeed. Much work towards this direction has been through interviews of security analysts in SOCs. Interviews, however useful, will not be always possible as analysts work in a high-stress and time constrained environment. Thus the understanding of operational challenges through interviews is quite shallow. There is also an issue of trust that limits the amount of information an analyst shares with an interviewing researcher. In our work, we take an anthropological approach to address this problem. Students with Computer Science background get trained in anthropological methods by an anthropologist and are embedded as security analysts in operation centers. Embedded students perform the same job as an analyst and see the operational world from the view point of an analyst. Through reflection on the observations made by the students we gain a holistic perspective of the challenges in operation centers. In this paper we report preliminary results on the ongoing fieldwork at two corporate and a University SOC.

Designing forensic analysis techniques through anthropology

Current tools and solutions to handle incident response and forensics focus only on one piece of evidence, doing very little towards presenting the big picture. My PhD dissertation will focus on developing analytical tools that can automate repeated tasks whenever possible and also be able to connect the dots among multiple data sources. The tools of my research will focus more on reducing the time incident responders spend on mundane tasks through automation also by providing data in a more abstract and context specific manner. Such presentation will be more useful in constructing the intrusion scenario than when it is presented raw. Another challenge security researchers face today is validating their research ideas on real-world data. My PhD work will focus on applying anthropological methods to identify the tacit knowledge of incident responders and make them explicit through tools, processes, and publications.

Investigative response modeling and predictive data collection

While most enterprise computing environments are proactively monitored for threats and security violations using automated detection engines, the ability to validate reported events as true incidents still requires a non-trivial amount of time and information gathering as well as investment in staffing and training of personnel. To improve an organizations overall reactive security posture and reduce some of the associated costs we propose an investigation model supported by predictive, automated data collection and guided presentation of the resulting information. By modeling the investigative goals and requirements for each event type, this approach can automate proactive data collection actions wherever possible thus reducing the investigation time as well as providing a consistent framework for the monitoring staff. By providing the goals of the alert validation process the framework also reduces the minimum skill required of monitoring staff. Furthermore, the collected information is presented in a formatted manner with documented requirements for validation therefore guiding the analyst to the appropriate conclusion. By following this method, false positive alerts are more quickly pared down allowing for better utilization of skilled resources by focusing efforts on only those alerts validated as genuine.