I took note of the recent uptick in discussions about the concept of observation in the IT world and found myself compelled to come back to the topic, which I’ve touched on previously in my blog posts.
“Observability” is seemingly synonymous with “monitoring,” covering things such as metrics, traces, and logging. Observation, however, has an important distinction. IT security monitoring assumes the act of measuring and evaluating against a defined standard to identify “good” versus “bad,” whereas observability is more about gathering as much information as possible and then asking questions of the data based on experiences such as the occurrence of new events. In this way, any inconsistency can be revealed before it escalates to a full-scale data breach.
The File Integrity Monitoring Playground
In the world of security, observability has always been where File Integrity Monitoring “plays” its strongest game. The questions being asked these days makes this all the more important. Gone are the days of “raw” detection being 100% effective, with increasing pressure to understand a breach in far greater detail than ever before. As the question of “can you prevent a breach” has slowly become “you may be breached, what can you do about it,” the questions that are presented by such events have become more complicated than just a simple “what did you get hit by.” To add to this pressure, external reporting requirements, brought on by increasingly thorough legal requirements and a more tech-savvy public, means there are far more questions asked than ever before. For example, most of the data privacy acts such as GDPR, and PIPEDA include reporting time-frames. Many civil codes also now include data breach reporting requirements. Along with that, the almost customary post-breach dip in the stock price of a publicly-traded company demonstrates the lack of confidence generated by a breach.
Back when viruses were considered the biggest threat to an organization, identification of the malware was important to prevent spread and damage. However, with the new generation of cybercrime, the goal is to seek entry, then persist and expand access. It’s no longer sufficient to know about a single infectious file or payload. Nowadays, it's important to understand the myriad of ways that systems can subsequently be attacked.
Focusing in on Observation
As a result of all these considerations, observation starts to become a much more interesting concept, one which I see forensic experts and in-house security teams focusing on, with more complex questions and searches becoming key.
Tripwire Enterprise has always included robust, context-sensitive search functionality. This means that every page offers the ability to search for items relevant to that particular page. Along with that, the reporting tools offered as part of Tripwire Connect make the creation of new and unique searches both easier and more informative.
I’ve long been a fan of detective TV shows, and the recent explosion of “Escape Room” games has furthered this healthy obsession. Home-based puzzles have also helped me to develop these problem-solving skills. Such games offer just enough hints to constrain your question space. For instance, if you are playing a game that is based on Sherlock Holmes, it’s unlikely that you will be asked about rocket science. These all flex the creative thinking muscles. Such activities can be great team-building exercises as well as good learning experiences. (Bonus points to anyone out there who can find some good IT security-based Escape Rooms you can experience at home!)
In the IT world, we are very often asked to think creatively to explore the data generated by the machines we build. Part of this is achieved by knowing the right questions to ask. This moves the challenge to encouraging both logical and creative thinking skills. These are what we should all seek to hone this year, allowing us to truly take on observation-based security.