I found an article this morning through my daily cruise through tech news. I mentioned the company mentioned in the article, Codespaces, yesterday when I was talking with our management team. Codespaces was wiped out of existence by an attack that ultimately led to the near total destruction of their data. The timing is serendipitous because this article touches on some of the points I was trying to make about looking for anomalous data in the many streams of data we already have at our disposal, or could easily add.
From the article: “Every attack is a sequence of events.”
I’ll extend that: “Every system failure or security breach is a sequence of events.”
Failures are generally not atomic events. Systems aren’t 100% functional one instant, and down to 0% the next. Anomalous data is a bellwether that something different is happening, that something worth taking a closer look at is in progress. Not that something necessarily wrong is happening. You don’t know that yet. All you know is that something different is happening, a possible indicator of trouble on the horizon. You’re begging for trouble if you know you have an anomaly in progress and you ignore it.
A simple example: interpreting car dashboards in context. I’ve driven two Volkswagen Beetles in recent years. One Beetle had a faulty coolant sensor that would indicate an over temperature condition no matter what, even when the coolant level was fine and the car was cooling properly. The other Beetle, driven by my daughter, had a coolant sensor that was OK. Last week it lit up for the first time. She mentioned it to me, and I did what I could do at 10:30 at night in the dark: checked the coolant with flashlight in mouth, and topped it off. I told her to keep an eye on it. The next day the sensor went off again, but she kept driving the car. A short while after that, when my wife was driving the car, billows of white smoke poured out of the car because a cheap plastic connector had broken.
A problem started to unfold with my car, and an indicator went off. I responded (added coolant to a leaky system), but that didn’t resolve the core problem. The indicator went off again, was ignored, and the problem got worse. If my wife hadn’t stopped the car immediately with the third indicator (smoke) the over temp could have warped the rods and destroyed the engine. Furthermore, the status of the indicator had an entirely different meaning based on the historical trend data of the particular Beetle.
Changing data is telling you something. Listen to it.
