The Naughty List Is New Again

naughty list in behavioral analysis

14 Apr The Naughty List Is New Again

LinkedInTwitterFacebookGoogle+Share

naughty list in behavioral analysisSo Here’s How to Pick the Better Behavioral Analysis Security Product . . .

The security industry wants you to behave. That’s apparently the latest hurdle to cybersecurity at the corporate level- behaving. Now imagine a collapsed mother in near tears as kids knock over all the nice things that parents can’t have and that’s the security industry as a metaphor.

Cybercriminals are why we can’t have nice things

The concept of the blacklist or the naughty list never really left. It just returned marketingly through a new form, as behavioral analysis, which also has been around since long before Skinner bought a box. So when we say behavioral analysis is back again we don’t mean just once but again and again it’s again. But are we better at it now?

Behavioral analysis is the intersection between people and technology that means we can either assume technology should behave like people or people should behave like technology. The point being that there is a naughty list again but instead of creating it before the bad things are done like the TSA and Santa, behavioral analysis means the list is made on the fly before the misbehaving happening now. At this very moment. Yes, they know now where you will bury the body, Casey.

Although some product makers like to use the technique of flagging and measuring any act that looks like you might be thinking about misbehaving. Is it perfect? Well, it’s just somebody’s idea of how to see the future and not actual angel tears so you decide. But still, it might just work.

The new and improved naughty list for better *slimy wink* naughties

The naughty list is in many products today from intrusion detection systems to data leak prevention and even firewalls. Many of the products are hybrids of all three with a dash of something or other mixed in to dumb them down to meet industry and government compliance objectives- yeah, I’m looking at you PCI-DSS 3.1 Prioritized Checklist whose priorities directly conflict with every modern security technology because they (priority 1) retain sensitive authentication data to (priority 4) monitor and control access to systems.

That doesn’t mean Behavioral Analysis can’t be done in a good and proper way though. The problem is that some of the product buyers of such technologies might not have enough Ph.D. in Behavioral Psychology to make a proper purchasing decision and, like many of the inferior, Behavioral Psychology Masters diploma bearers, need to rely on the marketing and whitepapers of the product manufacturer to make a more informed decision. So they’re likely to end up with a system that only guesses the present like the fortuneteller who told me I would get ripped off.

So, as a public service, let me give you a couple questions you can ask any product vendor that uses behavioral analysis as its foundation for singular, non-multiple, pony tricks to make a better product decision:

  1. Would more data make this product better?

What you’re looking for here is to see if the product has limitations because it can’t get enough data or if it has limitations because it can’t get the data fast enough. If the answer is more data then you have a product that can grow with you as long as you have the ability to feed Audrey 3 here.

But if you don’t have enough systems or traffic then you need speed where you’re dealing with a product whose speed allows for alerts on things in the present that are sent so fast as to seem prescient. As any High Frequency Trader can tell you from behind stacks and stacks of money, that’s not a bad thing and can work really well. It’s also not behavioral analysis.

  1. Are potential attacks analyzed as technology or people?

Hell yeah it’s a deep question! This smack-down of a question makes you look like you have a white pony tail and tiny spectacles reflecting a wall full of diplomas. But what you want to hear from this is if they are making it or faking it.

If they treat it like people then that means they rate actions on types of expected reactions of the sender or receiver to predict whether a particular action is good or bad. That’s much like a crowd does when a guy says or does something and the world suddenly stops and onlookers think, “Oh no he didn’t!” because they know a can of ass-whoop is about to get opened up. It’s about understanding so-called “fight words” where we don’t have to have a crystal ball to know what comes next is not good. It’s textbook behavioral analysis. That means it’s really good at picking up subtext and subtle hints like any non-male person can. If your services are focused on people interacting with each other online then this is likely what will work best for you.

But if they say they treat attacks like technology then they are doing behavioral analysis like a psychopath does. Which isn’t bad and it’s certainly effective. Sure, I guess saying psychopath makes it seem negative but when you consider how many successful people are psychopaths (yes, very few of us actually end up in prison) then you have to admit it works. But it lacks the ability to gauge reactions without help.

Historical experience

Attacks analyzed as technology (ports, services, IPs, protocols) are faking behavioral analysis the same way threat intelligence services black out places because of something it thinks it once did (and I say thinks because attribution is really hard and it’s just not physically possible to do all the research for even 100Mb of IPs and domains let alone the gigs that they often claim to have). If it can’t rely on historical experience then it has to check and see what other security software is doing about it. That’s the behavioral equivalent of laughing when the other person laughs so you don’t have to admit you didn’t understand the joke. That’s why technology-focused analysis isn’t real behavioral analysis but then again my Roomba isn’t a professional housekeeper with a vacuum but it does a better job at cleaning under the sofa especially when there’s something good on television. So if your infrastructure is somewhat chaotic or changes often then you may want to consider something like this that doesn’t get distracted easily.

So that’s it. At this point you are expecting some kind of summary with something clever or me giving away my own opinion on this subject. But that’s just the behavioral analysis engine in your head getting it all wrong.


The opinions expressed in this contributor article are solely those of the author, and do not necessarily reflect those of Fortscale.


About the Author: Pete knows how to solve very complex security problems and then teaches and enables others to do the same. His daily job is as the Managing Director and co-founder of the Institute for Security and Open Methodologies (ISECOM). He specializes in securing the things that nobody has secured before- prototypes, new businesses, processes, and even people. He researches new security paradigms for the Open Source Security Testing Methodology Manual (www.osstmm.org) and Hacker Highschool Security Awareness specifically for Teens (www.hackerhighschool.org). He co-created the OPST, OPSA, OWSE, and OPSE security certifications to assure professionals have accurate and efficient security skills and know-how.
(Visited 123 times, 123 visits today)