Scientia Potentia Est (Knowledge is Power)

The famous proverb “Knowledge is power” is attributed (probably wrongly) to Sir Francis Bacon, one of the founding fathers of the modern science. Usually referring to the contribution of science to the progress in human well-being in modern times, it is often criticized on the grounds that it takes action and not just knowledge to achieve progress.

The world of information security presents a similar dilemma. In my previous post, “black cat, white cat”, I divided the world of security controls into black listing tools for detecting and preventing attacks and whitelisting tools enforcing policies. However this is not the only categorization one can make of security tools: an orthogonal categorization would be between passive controls, the “knowledge”, and active controls, the “action”. Is knowledge power? Are passive controls which provide us with information but do not take an action effective?

For black listing solutions, and especially for intrusion detection, the differentiation between passive and active controls is clear but still perplexing. While it has been a while since intrusion prevention systems replaced intrusion detection systems as the bon ton in information security, one wonders why detection only systems were introduced in the first place. Moreover, why so many intrusion prevention systems are used in detection only mode?

The distinction between detection and prevention exists also for white listing tools. As a matter of fact most policy management tools focus on assessment only. Some obvious examples are vulnerability scanners and configuration assessments tools. A more surprising white listing tool that is passive is a source code analyzer.

These examples, which focus on very commonly used tools most of us see as useful but which only provide information, may actually shed some light on the dilemma presented above. It seems that one reason for passive controls is in areas in which remediation cannot be automated. Source code analyzers are a perfect example as coding issues are challenging to fix automatically and require human attention. The same applies to intrusion detection and prevention systems: as the technology for blocking attacks advanced, prevention systems bypassed detection systems as the leading intrusion management solution.  

A whole class of systems goes one step further and focus solely on information collection and analysis. Information may be collected to allow investigation and forensics. Information and analysis may also be used for prioritizing remediation tasks and for selecting a correct and timely remediation option. This tactical level has been done for years using log management systems and security information and event management systems (SIEM), however as they are tightly coupled to security operations it can be argued that it still represent an active system with a human analysis phase.

However as information security is becoming more central due to the society perception, the threat landscape and regulatory environment there is a need to ensure the effectiveness of information security as a whole. Systems that would support such goals would rely on collection and analysis of security information to help drive strategic decision making. In the context of information security the primary indicator of effectiveness would be risk level and therefore those systems should be called “information security risk management systems”.  As such they would represent a better example in which knowledge is used by itself to enhance security.