Knights and Knaves, and Critical Insight

4 min read

EDITOR'S NOTE: This article was originally published in October 2015.

Critical Insight. It’s what we provide, and the name of our next generation product, released July 31, 2015.

The name, the product, the new capabilities and a new perspective on how to achieve all of it seemed worthy of explanation… and maybe a fun puzzle.

As scientists and practitioners working in an infant science like information security, we find that we spend a lot of time looking at more mature science for models and techniques that we can use to “see further, by standing on the shoulders of giants” to both paraphrase and mangle Sir Isaac Newton. We find ourselves reading textbooks and taking classes in statistics, numerical analysis, natural language processing and epidemiology, among other things.

When presented with the problem of modeling an approach to the very real problem of applying a mix of signature, anomaly, behavioral and reputation methods to the vast amounts of data available from modern networks and systems—our team kept finding themselves making great progress, then retracing their steps to accommodate new information, new threats or just plain new thinking.

Clearly, a state of continuous re-design is not a sustainable as a service supporting regional critical infrastructure in the face of constantly evolving threat and stream of successful attacks. We needed to find a giant’s shoulder, and we found one in logic puzzles.

There’s a classic set of logic puzzles, called “Knights and Knaves” which revolve around the central concept that you have two resources which you can question; Knights, which can tell only truth and Knaves, which can tell only lies. The important fact about this category of puzzles is that the solutions do not come the form of an answer, but a question. (Like Jeopardy, only with more symbolic math.) As a brief example, consider the following puzzle:

You are hiking in the Scottish Highlands and come to a fork in the path with a sign explaining that one path leads shortly to beer and a nice place to rest, while the other path is beset by mimes offering pretend cheese. Beside the road are two experienced travelers which know which path is which – but all you know is that one is a Knight and one is a Knave. You only have time for one question and you can ask either of the travelers. What question do you ask? (Note: One possible answer is at the bottom of this blog entry**

Lots of us on the team have experience with these kinds of problems, so re-thinking our analysis approach as an exercise in knowing what questions to ask seemed like it could produce interesting results. In fact, this led us down the path, which defines our approach and product. Put simply: We don’t know all of the questions we need to ask, and will never know them until it’s way too late to redesign our product to answer the new questions. So, we take a data science approach to assimilating, indexing, enhancing and analyzing information—with the architectural goal of answering three categories of questions:

  • Questions we already know how to ask (not very hard).
  • Questions we don’t know about yet, but answers to which exist in the data (harder, data science required).
  • Questions we don’t know about yet, which the data itself will expose (much harder, machine learning pixie dust required).

Once we started looking at the problem this way, many aspects of our design fell into place (11.2 dry erase markers later.) Modern approaches to remote data collection, queuing, indexing and archive make it possible to ingest truly amazing quantities of data, structuring it ad-hoc as needed. And the best part? We can ask questions of the data that we had no idea we’d need until an analyst saw something odd, squinted at it for a couple of seconds and then asked a new question.

For example, we’ve known for quite a while that lateral traffic (workstation to workstation) is somewhat odd, and that certain patterns can indicate that something is amiss (typically malware) and needs to be investigated. Wait, though—are there precipitating events in web logs/packet capture data/IDS signatures that we should be looking for in order to identify this malware before it happens? Maybe it’s happened elsewhere, so far undetected and we can ID some systems to take a closer look at.

This is the essence of Critical Insight version 1.5. We combine our extensive experience as analysts, data scientists and security experts to reducing the mountain of data produced by any operational network into confirmed incidents, which we communicate to the affected parties as an Incident Action Plan (plugged into YOUR incident management process.)

  • Our experienced analysts receive automated alerts based on known patterns.
  • Our analytics engine provides live analysts with an unprecedented view of potential indicators of compromise, with the ability to pivot, restructure and generally find the needle in the needle stack.
  • We provide reports at a reduction scale of 100,000:1 of real events that require your attention.

We are very excited about this new release. We’ve engineered a new on-premise Critical Insight Collector (CIC) to accept all of the sources of information your network produces. We’ve completely restructured connectivity from your on-site CIC to our Security Operations Center for greater resilience and zero perimeter impact. We’re asking questions we didn’t know to ask yesterday, and getting useful answers. We’re tracking the Knaves like never before.

** One question that will work for this puzzle is, “What would the other traveler say is the mime infested path?” The Knave will lie about what he knows the Knight will say—providing the mime path. The Knight will answer truthfully what lie he expects that we Knaves would tell, providing the mime path as well. Take the other path.