Have you ever gotten the “SSSS” notation on your airline boarding pass? I don’t exactly know what the acronym stands for, but I wouldn’t be surprised if it stood for “Super-Serious Security Scrutiny.”
TSA people refer to it as “The Quad”.
If The Quad is on your boarding pass you can expect close-up unrelenting ID analysis at every post, a diligent (if polite) full body pat-down, inside-out examination of every carry-on, and a wipe down and chemical analysis of every item in or near your possession.
I’m not surprised I got hit with The Quad on my way through San Francisco last week. It was the last leg of a long trip that had taken me through Indonesia (an Islamic country with a recent history of violence and unrest), there were no “return” trips on my itinerary (I went one-way around the world), and to top it all off I’d lost my passport in Tokyo.
I might have even been disappointed (in some weird way) if our transportation security experts hadn’t singled me out. But it made me start thinking about what key threat indicators our customers need to sit up and pay attention to.
Whether they use multiple controls or a SIEM receiving inputs from an army of sensors, what are the things that should make their alarms go off every time? Here are a two key “SSSS” triggers that Tripwire Enterprise is really good at detecting:
Odd or unexpected changes to critical systems:
- Do you have unexpected or non-approved changes on your critical IT systems?
- Is Tripwire Enterprise barking about changes to systems with high-risk content like IP, or financial systems?
- Are you seeing changes to ACLs and permissions, or elevated privileges?
Changes to configuration scores and security assessments:
- Are security events centered on a system that’s got open ports or unused sessions or poor authentication standards?
- Are you seeing configuration scores lowering day-over-day? What are the trends?
- Is this exploit connected to a system with a significant (and recent) change to security scores?
Tripwire recently released an add-on offering for Tripwire Enterprise — the VIA Event Integration Framework — which makes it easy to extract these key events and feed them into your SIEM for evaluation and correlation. I won’t let this post become an ad for the new framework (you can read about it here or send me an email) but it’s a perfect example of what I’m talking about: Whether you use Tripwire Enterprise or any other tool you’ve got to be crystal clear about the events, changes, states or circumstances that will send your security apparatus into high gear.
What are the things that should be inviolate to your security posture? At Tripwire we’ll argue these to be:
- Undesired or unexpected change on critical servers
- Insecure or less-than-optimum server, platform and device configurations
Security events that carry these markers require a “QUAD” notice to your teams. That means a full-body pat-down, chemical analysis, and ridiculous (but necessary) levels of scrutiny.
At the end of the day these may be the best indicators of nefarious activity you’ll ever get.