Hi everyone. Ed Amoroso here. I want to talk to you in this video about a concept in cyber security that we refer to as auditing. And I don't mean human beings coming in and doing an audit. I mean computing processes that are collecting data and building log files as the basis. One of the things that we saw in the earliest computer systems, big mainframes, would generate log files and it's been a foundational item in cyber security ever since, the idea that we collect data. We take it for granted. Right? A lot of you probably talk about big data analytics and big data lakes of information and doing analysis and analytics and AI and machine learning on all those data, but where does that data come from? Where is it all coming from? Turns out that there's a pretty effective taxonomy that you can build up. Let me tell you where this came from before I explain it to you. I had a boss once who came to me and said cyber security stuff, isn't that really just kind of keeping track of stuff that's happening? And I remember thinking, that really is kind of an interesting view because I had always thought of cyber security in the context of the old reference monitor concept, which is taking action based on policy. Alice wants to connect to Bob, security sits in the middle, decides if it's okay. If it's okay, let it through; if it's not okay, don't. But this idea that maybe another view of security is that I'm not going to worry so much about that but I'm just going to keep track of everything is an interesting concept. I'll give you an example why I think this is so foundational. There's two ways that security or any sort of thing in the middle, some sort of additional component middle can impose. Policy one is it can arbitrate, which means Alice connects through this security piece to Bob. It sits actively in the middle of Alice and Bob, plays an active role. That's one. Second is, security sits off and just keeps track of what happens, doesn't affect what Alice and Bob do, but if either of them have a beef, they bring it to me and I'm the judge. This is how courts work. Right? Where a court basically looks at evidence. The evidence comes in and the judge decides. Is the judge out being the traffic cop making sure there's no traffic accidents? No. Absolutely not. But having a court and having judges and having evidence might make people drive a little bit more carefully because they know they might get judged and get thrown in jail or something. You follow? It's an interesting way of thinking about cyber security. Now, the taxonomy that I want you to learn and have in your mind and have almost something that you memorized is auditing can come in one or two different ways. It can either be based on something that's internal that's generating information out natively. It's embedded in the system and it pushes out log files. It's embedded in the code. It was designed in from the beginning to be emanating out information about what is happening. That's one. And the second is, I have this mechanism I built or network I'm using or computer I'm using or gizmo I've built, and from the outside I latch on. I connect with alligator clips. I put a tap on. I watch from the outside. I hang a camera to watch. I'm collecting data external to the native behavior of that system. Those are your two options. Now you can do both, it'd be great. But if you buy something that doesn't have audit embedded, then you got to do it externally. If it comes with it native, then you're in good shape. Most operating systems generate log files. Right? I mean you don't have to go into the kernel and create log information generators. It's already there. So if you think of those as two rows, then for the most part there's three levels at which we do auditing, generally, as computer scientists we think of these three levels. One is something we call the application level. That's where that kind of consistent user interfaces and sort of high level functionality we can generate things. Your browser, for example, generates a browsing history. That's an application-level, internally generated component that gives some indication about the behavior on your system. So application level is one. Second is system level. Usually we think of that as operating system or the kernel or the code that drives the core functionality of some computer or device or whatever. And, again, an OS will have internally generated log files. If it doesn't, then you are going to have to find something that sits around the operating system, in the runtime system, providing some log of the behavior. So obviously you're better off with something internal than external, but the advantage of external is that if you bought something that just doesn't have what you need, then you can latch on. And then the third is network, and that's where at the network level you want to have a good understanding what's happening. It turns out, generally, the external observation that comes with putting a tap on a network or putting on a SPAN port some way of collecting out data is, in many cases, more common than a network natively generating audit logs. Networks were always designed to move packets not to expose a lot of information about what's going on, although clearly a lot of network devices do that. So think about that taxonomy, internal/external, app, system, network gives you six possibilities. And as you're doing your design work, depending on what it is that you're building as a system engineer, as a developer, as a designer, which I know that a lot of you either do now or will do at some point in your career, these are important cases to keep in mind as you design something that will complement the firewalls and reference monitor type mitigation behavior or the arbitration, it will complement that by having the ability potentially to judge or adjudicate based on evidence, and it turns out that's really what security analytics is all about. It's about collecting evidence, making some determination and judging. So I hope this has been a useful insight for you in the way auditing and log files complement the way we do cyber security. I'll see you on the next one.
