The challenge for rules-based systems is that humans inject so much variability that determinism itself is suspect. In fact, one can argue that determinism is inversely related to the level of human involvement: the more we muck with things, the less deterministic the outcomes. Now, philosophers will argue that the actual mucking that we do is itself deterministic. I’m not going to touch this since there are people who spend their lives arguing this point.

How does this relate to root cause analysis? In my last post, I used the example of launching a penetration attack during a DDOS attack to go undetected. Another approach – to continue with the flying analogy – is to go low and slow. The classic example is to attempt log-in three times and move on to avoid alert or automatic lock-out. The reason why this works is that legitimate users continually make log-in mistakes so a threshold – an arbitrary one - is set to only trigger an event after X failed attempts and an account lock-out after X+Y failed attempts. To better manage the situation, many rules-based systems use behavioral rules; differentiating between “Tom” who rarely misses a log-in and “Dick” who fat-fingers his log-in consistently four times before getting it right. Regardless, there is always a low-end threshold and a hacker who stays below the limit will still fly under the radar, though the flight may be so long that he runs out of gas. The best option for forensics is to find aberrations in behavior patterns: “was Dick having a good day (log-in on second try) or maybe it wasn’t dick?” As with the lightning=thunder analysis, there is no direct evidence of a violation, only that something is potentially out of order. The next step is to pull out the CSI flashlight and start hunting for additional clues.