A few months ago, a French trader managed to create one of the biggest trading losses ever recorded. He kept digging a hole with more trades, trying to offset his losses. He managed to hide his trades very skillfully until a bad combination of market trends made his loses too big to hide. It’s not the first time a rogue trader has tried to cover up a small mistake and turned it into a huge mistake. But what was interesting about this case is how the trader was able to hide his losses. You see he used to work for the audit department. He knew their processes inside-out. He knew what they looked for, what types of trades would attract their attention. Because the audit process was predictable and known, he was able to neatly side-step it.
So predictability is not good for security – it makes it easier for an adversary to evade your controls. On the other hand, we need predictability to ensure in our security processes. So how do you find a balance? Your security process should combine both well rehearsed and consistent procedures and a bit of ad-hoc, free-form security review. You set up rules and alerts for specific patterns (known-bad). But, it’s also good to go trawling through system and security events. When looking for anomalies, you use a non-deterministic and flexible pattern matching machine: your brain. Better than any rules-based system, it can find events that are “weird” even if you can’t describe what “weird” is in advance. You just know it when you see it.