Following in Dr. Snow’s footsteps
We can follow Dr. Snow’s lead by looking for commonalities, differences and outliers in our own digital communities. We need to start to look for what makes one system get infected while another does not. It is difficult to inconvenience many people based on incomplete evidence or misunderstood information. It may help to tell the Dr. Snow story to illustrate the parallels with the difficult fight against digital diseases. When the water pump on Broad Street was removed, the community complained about the inconvenience of having to walk farther to get their water. In order to convince our digital General Board of Health to remove a digital pump handle at an organization, we must have the evidence to back up our claims. We must remind users that when it comes to digital diseases, just like biological diseases, epidemiology is a science of probability not a science of certainty. Even a great historical figure such as Dr. Snow did not have 100% certainty of the cause of Cholera, he merely had statistics to infer from; but it was enough to make a difference to London and eventually every city in the world.
If communications are firmly in place with decision makers and users, the next part is learning how to set expectations. When decision makers or users ask for an update, both information security personnel and the users must understand that the quality of information is greatest at the conclusion of the investigation and so preliminary data may be slim or missing entirely. A diagnosis is more accurate after tests have been done. When epidemiologists are asked to investigate an environment they analyze frequencies and relationships within hosts using numerous different study tools as described in the appendix. These tools are far from perfect, but they are some of the best tools we have to fight diseases.
CDC Best Practices
One common practice during an analysis at the Center for Disease Control and Prevention Epidemic Intelligence Service (CDC EIS) is to spend 10 minutes to explain what you know about the state of the environment at the moment with results of current analysis, and then spend 10 minutes on questions and answers. If next step actions are not clear or the presented data is flawed, adjourn and investigate further. Another habit from CDC EIS is the recruitment of representatives from different groups in the organization to perform some of the basic field work; these people become sentinels in the surveying of the environment. Few organizations can afford all the security they want, so leverage existing human resources as much as possible. Prepare a reporting system for remote information security or sentinel personnel to report suspicious activity. Indoctrinate all information security personnel into the epidigitalogy process. Rotate volunteer personnel to slowly bring all information technology personnel up-to-speed on epidigitalogy thinking in order to have personnel ready as sentinels during the next digital disease survey or outbreak. In order to obtain good data for surveying analysis, it is important that the information security professional (the listener) be patient and understanding. It is equally important for the reporting source to know how to report in clear terms. A security practitioner’s desk side manner goes a long way to assuring a good infosecurity to user relationship.
Epidigitalogy thinking encompasses these concepts:
1. Work under assumption that digital disease pathogens are already in the environment. Few environments, biological or digital are 100% free of disease pathogens.
2. Always actively monitor IT functions for signs of digital disease symptoms.
3. Document previous digital disease outbreaks to learn what can be changed on hosts or in the environment to improve organizational digital health.
4. Share knowledge of surveys regardless of how trivial it may seem.
5. Think about digital disease investigations as an endeavor based on probability versus an endeavor of absolute certainty.
6. Leverage epidemiological investigation tools such as 2x2 tables, frequency distribution tables and epicurves to determine commonalities and outliers.
7. Professional resources are often scarce, therefore volunteers reporting from the field are critical to the continuance of a healthy environment.
8. Culture and social behaviors play a role in the digital health of the environment.
In the epidemiology field there is rarely 100% of the information available to survey a disease of interest. Epidemiologists use statistical sampling in order to make inferences from their data and apply it to the total population under investigation. By copying this statistical analysis process, epidigitalogists may sample a small percentage of the host population with more aggressive logging in order to run further statistical models to ascertain what percentage of the surveyed systems are exhibiting a digital disease. If any of the surveyed systems exhibit a digital disease, this may warrant either expanding the survey to a larger group, or it may be enough information to execute implementing a mitigating control. Once a survey is tested and is deemed effective in identifying symptoms on a subset of the organization, using automation to make it a continuous study may help to improve the long term health of the environment. In data survey exercises, it is assumed that the host protection technology may not necessarily be detecting a threat by name, but by implementing more aggressive logging beyond traditional Antivirus controls; commonalities, differences and outliers may be observed.
Step 1. Retrieve all the log data from hosts and environment to run statistical models. i.e. 2x2 tables, frequency distribution, epi-curves on different variables as described in a future post. What percentage is exhibiting suspect activity?
Step 2. Increase survey group size if step 2 was conclusive enough to warrant further investigation.
Step 3. If step 3 reveals any outliers or commonalities indicative of a digital disease, then create a mitigating control. Deploy the mitigating control to the randomly sampled systems and rerun statistical models to ensure the control is effective. Also observe the security management platform for new digital disease pathogens detected and for identifying false positives.
Step 4. If false positives are too high and identification of digital disease pathogens is too low, remove mitigating control.
Step 5. If false positives are low or deemed to be at acceptable levels and identification of never-before-seen digital disease pathogens are high, then proceed to implement mitigating control to a greater survey group of systems.
Step 6. If the greater survey group does not report false positives, then proceed to deploy to the entire population.
Step 7. The helpdesk should be monitored for increased activity of support calls, which may indicate a mitigating control is having adverse effects.
See previous post: Origins of Modern Epidemiology
Next post Part IV Leveraging Waiting Room Time