Ethnographic Fieldwork at a University IT Security Office Xinming (Simon) Ou Kansas State University Joint work with John McHugh, S. Raj Rajagopalan, Sathya.

Slides:



Advertisements
Similar presentations
Chapter 5 Transfer of Training
Advertisements

1 Senn, Information Technology, 3 rd Edition © 2004 Pearson Prentice Hall James A. Senns Information Technology, 3 rd Edition Chapter 7 Enterprise Databases.
©2011 1www.id-book.com Evaluation studies: From controlled to natural settings Chapter 14.
Chapter 14 Intranets & Extranets. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Introduction Technical Infrastructure Planning an Intranet.
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Systems Security Engineering An Updated Paradigm INCOSE Enchantment Chapter November 8, 2006 John W. Wirsbinski.
Introduction to Product Family Engineering. 11 Oct 2002 Ver 2.0 ©Copyright 2002 Vortex System Concepts 2 Product Family Engineering Overview Project Engineering.
ASYCUDA Overview … a summary of the objectives of ASYCUDA implementation projects and features of the software for the Customs computer system.
1 When DAP Meets GAP Promoting Peaceful Coexistence between Developmentally Appropriate Practice & the Need to Address the Achievement Gap International.
Ada, Model Railroading, and Software Engineering Education John W. McCormick University of Northern Iowa.
Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
Public B2B Exchanges and Support Services
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
National Academy of Engineering of the National Academies 1 Phase II: Educating the 2020 Engineer Phase II: Adapting Engineering Education to the New Century...
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts
Limitations of the relational model 1. 2 Overview application areas for which the relational model is inadequate - reasons drawbacks of relational DBMSs.
Module 3: Building Faculty Involvement
Week 2 The Object-Oriented Approach to Requirements
1 Kentuckys Public Safety Awareness Initiative Program Coordination and Partnerships August 23, 2005.
Chapter 5 – Enterprise Analysis
Software Engineering - Specifications 1 Specifications Specification document must be clear, complete and correct.
Chapter 18 Methodology – Monitoring and Tuning the Operational System Transparencies © Pearson Education Limited 1995, 2005.
Testing Workflow Purpose
INTRODUCTION TO SIMULATION WITH OMNET++ José Daniel García Sánchez ARCOS Group – University Carlos III of Madrid.
Creating and Capturing Customer Value
Common Core at CPS Scope and Sequence Implementation Plan
TU/e Service business logic framework Egon Lüftenegger, Information Systems Group, TU/e.
1 UML ++ Mohamed T IBRAHIM University of Greenwich -UK.
The Intentional Teacher
Session 1 - A Story of Units
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 28 Slide 1 Process Improvement 1.
Curriculum Leadership Workshop for Science Head Teachers Science Unit Curriculum Directorate Curriculum Leadership For Head Teachers And Aspiring Head.
Introduction to Databases
1 Knowledge Transfer Concepts Presented by the Division of Personnel State of Alaska.
A Virtual Research Environment for the Study of Documents and Manuscripts 1 1 John Pybus – BVREH Project, University of Oxford A VRE for the Study of Documents.
GG Consulting, LLC I-SUITE. Source: TEA SHARS Frequently asked questions 2.
Who are the Experts?Simon KampaSlide 1 Who are the Experts? Simon Kampa IAM Group University of Southampton
The Rubric Reality Cobb Keys Classroom Teacher Evaluation System.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialBCMSN BCMSN Module 1 Lesson 1 Network Requirements.
Safety and health at work is everyone’s concern. It’s good for you. It’s good for business. Online interactive Risk Assessment Advisory Committee for Safety.
2009 – E. Félix Security DSL Toward model-based security engineering: developing a security analysis DSML Véronique Normand, Edith Félix, Thales Research.
Addition 1’s to 20.
25 seconds left…...
An introduction to PISA and the type of assessments used Module 1 1.
RTI Implementer Webinar Series: Establishing a Screening Process
Week 1.
Chapter 10: The Traditional Approach to Design
Systems Analysis and Design in a Changing World, Fifth Edition
We will resume in: 25 Minutes.
Database Administration
© Prentice Hall CHAPTER 15 Managing the IS Function.
1 Unit 1 Kinematics Chapter 1 Day
05/19/04 1 A Lessons Learned Process Celebrate the Successes Learn From the Woes Natalie Scott, PMP Sr. Project Manager.
Virtual University - Human Computer Interaction 1 © Imran Hussain | UMT Imran Hussain University of Management and Technology (UMT) Lecture 20 User Research.
Learning Outcomes Participants will be able to analyze assessments
Approaches to Change Management
14-1 © Prentice Hall, 2004 Chapter 14: OOSAD Implementation and Operation (Adapted) Object-Oriented Systems Analysis and Design Joey F. George, Dinesh.
1 Literacy PERKS Standard 1: Aligned Curriculum. 2 PERKS Essential Elements Academic Performance 1. Aligned Curriculum 2. Multiple Assessments 3. Instruction.
Chapter 7 Turning People into Team Players
Examining Student Work. Ensuring Teacher Quality Leader's Resource Guide: Examining Student Work 2 Examining Student Work Explore looking at student work.
Using Anthropology to study Security Incident Response Raj Rajagopalan Xinming Ou Honeywell Kansas State U FIRST 2014 June 25, 2014.
The problem with teaching Cyber security
Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.
Chapter 2 The process Process, Methods, and Tools
Systems Analysis and Design in a Changing World, Thursday, Feb 1.
The study of Knowledge-sharing in CSIRTs using Anthropology Raj Rajagopalan Xinming Ou Honeywell Kansas State U FIRST 2014 (DRAFT)
SIEM Rotem Mesika System security engineering
Presentation transcript:

Ethnographic Fieldwork at a University IT Security Office Xinming (Simon) Ou Kansas State University Joint work with John McHugh, S. Raj Rajagopalan, Sathya Chandran Sundaramurthy, and Michael Wesch 1

SOC Monkeys Life Security advisories Apache bug! Vulnerability reports Network configuration IDS alerts Users and data assets Reasoning System Automated Situation Awareness 2

On-going Ethnographic Fieldwork Multiple PhD students embedded with security analysts at a campus network – Incident response and forensics – Firewall management – Managing host-based intrusion detection (IDS) and anti-virus systems Collaborating with an anthropologist – Teaches us the proper fieldwork methods – Helps us understand/handle the human aspects 3

The University SOC CISO Incident Response and Forensics Firewall Management Antivirus and Phishing Scams PCI Compliance 4

The University SOC CISO Incident Response and Forensics Firewall Management Antivirus and Phishing Scams PCI Compliance 5

Ticket Generation Firewall Logs MAC to User ID Logs ARP Logs This process takes up to 10 min in the worst case 6

This is not an Isolated Problem See the talk tomorrow : Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterprise Networks 7

8 Lets implement a caching database Reduced ticket generation time to just seconds

9 Gained acceptance into the SOC This led to more collaboration from the incident response analyst Starting to move from peripheral participation to full participation

Threat Intelligence Framework 10

Use Cases Automated Phishing Scam Detection Anomalous Traffic DetectionTracking Stolen Laptops Automated Ticket Generation 11

Observations Lack of any documentation of the needs that fieldworker ended up addressing – Standard processes for procurement simply cannot capture the need Lack of awareness of the existence of these problems on the vendor community – The problems are not on the radar of commercial solution providers even though the problem is old Lack of awareness of these problems among the academic community – Lack of papers that address the real problem even though there are many papers on overlapping areas 12

Observations We are developing a way not just to automate the tasks of an analyst, but to create tools that the analyst actually wants to use to help them. – Analyst co-creating the tool with us – in a sense – Creates a rich space for reaching deeper insights – The relationship between humans and their tools: how humans shape tools and how tools shape humans Anthropology offers a century of reflection to consider 13

Same Type of Story from Anthropology 14 Clifford Geertz. Deep Play: Notes on the Balinese Cockfight

Formulating Grounded Theory Strips – Ethnographic data (an interaction, bit of an interview, sequence of behavior, etc.) Frame – A knowledge structure or schema or hypothesis that makes sense of the data. Rich Point – Any moment where a new strip does not make sense in terms of the current frame. 15 The Professional Stranger : An Informal Introduction to Ethnography. Michael Agar, 1980

Our Current Frame Investigation patterns repeat across incidents. Investigation procedures often need to be refined frequently The software that automates parts of the process must then be modified frequently – This process is time consuming for a SOC operator The iterations of the software were addition, deletion, or modification of modules 16

Alternative Software Development Strategy Design a specification language – This must be easy enough for analysts to learn and use – Must be extensible and be able to optimize A translator to implement the specifications – The translator uses modular components to achieve this Related idea has been proposed by other researchers as well: – See Borders, et al. Chimera: A Declarative Language for Streaming Network Traffic Analysis, USENIX Security Generative Programming paradigm will help in achieving our vision 17

Generative Programming Development of software families rather than specific software – Analogous to automation in manufacturing Software must be made of interchangeable modules – This ensures component optimization Automated way to assemble the components – This requires domain knowledge 18

Generative Programming Model Problem Space Domain- specific concepts and Features Problem Space Domain- specific concepts and Features Solution Space Elementary components Maximum combinability Minimum redundancy Solution Space Elementary components Maximum combinability Minimum redundancy Configuration Knowledge Illegal feature combinations Default settings Default dependencies Construction rules Optimizations Configuration Knowledge Illegal feature combinations Default settings Default dependencies Construction rules Optimizations Image source: Generative Programming, Krzysztof Czarnecki and Ulrich W. Eizenecker Domain-Specific Language (DSL) Translator Security Solutions 19

Ethnographic Fieldwork-guided Cybersecurity Research Apprenticeship Questioning, Reflection, and Reconstruction Models, Algorithms, Tools Social acceptance by the community of practice 20

Bringing Anthropology into Cybersecurity Project Team 21 We would like to thank the support provided by the National Science Foundation John McHugh Redjack, LLC Xinming Ou K-State Raj Rajagopalan Honeywell Michael Wesch K-State Sathya Chandran Sundaramurthy K-State Yuping Li K-State

Related Effort What Makes a Good CSIRT – DHS-funded three-year project – George Mason University, HP, and Dartmouth – Organizational psychology: knowledge, skills and abilities; teams; interactions – Economy: costs and benefit – Results derived from interviews, focus groups, and observation 22

Why Anthropology? We can know more than we can tell. - Michael Polanyi 23

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.