[iwar] Trust based on activity/time

From: John Sforza (jsforza@rochester.rr.com)
Date: 2001-06-12 05:57:39

Return-Path: <sentto-279987-1349-992350679-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Tue, 12 Jun 2001 05:59:08 -0700 (PDT)
Received: (qmail 16250 invoked by uid 510); 12 Jun 2001 11:58:35 -0000
Received: from ck.egroups.com ( by with SMTP; 12 Jun 2001 11:58:35 -0000
X-eGroups-Return: sentto-279987-1349-992350679-fc=all.net@returns.onelist.com
Received: from [] by ck.egroups.com with NNFMP; 12 Jun 2001 12:57:59 -0000
X-Sender: jsforza@isrisk.net
X-Apparently-To: iwar@yahoogroups.com
Received: (EGP: mail-7_1_3); 12 Jun 2001 12:57:59 -0000
Received: (qmail 40907 invoked from network); 12 Jun 2001 12:57:58 -0000
Received: from unknown ( by l10.egroups.com with QMQP; 12 Jun 2001 12:57:58 -0000
Received: from unknown (HELO mailout4-0.nyroc.rr.com) ( by mta2 with SMTP; 12 Jun 2001 12:57:52 -0000
Received: from isriskxcurrent (roc-24-169-96-20.rochester.rr.com []) by mailout4-0.nyroc.rr.com (8.11.2/RoadRunner 1.03) with SMTP id f5CCuQ828358 for <iwar@yahoogroups.com>; Tue, 12 Jun 2001 08:56:26 -0400 (EDT)
To: <iwar@yahoogroups.com>
Message-ID: <000001c0f33f$43ccfa50$6401a8c0@isrisk.net>
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000
X-eGroups-From: "John Sforza" <jsforza@isrisk.net>
From: "John Sforza" <jsforza@rochester.rr.com>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Tue, 12 Jun 2001 08:57:39 -0400
Reply-To: iwar@yahoogroups.com
Subject: [iwar] Trust based on activity/time
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

I am looking for a system based on the model below or thoughts on the model.
Everything that I have seen so far is lacks automated real-time response and
I have limited headcount. Pardon my blunt language but I am no wordsmith.

In most systems that I am familiar with things go like this:

1. a user is authenticated (we don't care who at this point but it is
relevant - let's assume an individual finds id/password/token)

2. authorization is granted for access to services and resources.

3. And away we go - an insider opportunity for discovery...

And that's about it, sometimes in a really security aware organization (I
like the casino model myself) a significant amount of real-time monitoring
occurs and a profile is built and passed to other monitoring entities and
management as required.

My question is this, are there any software systems out there that do the
same as above or even better. If you diverge from your profile activities
your authorization window narrows but does not close and an alert is sent to
Security Operations. Even if you change your authentication the suspect
profile is still on record and the process will rematch your activities (I
guess I am assuming here that the target information is the same) and again
follow the process, but this time escalating the event to Security
Operations and potentially isolating the target from access within the
suspect subnet, building, floor if things get really dicey. The above is
based on personal usage characteristic and not necessarily the users access
authorizations. I see an alert being just as valid if this user who has
authorization for Y and has never accessed Y is suddenly very active in Y -
it's out of character for him to access Y at all. I know that there are
several enterprise systems that will log user activity but fail to take
proactive steps in real time.

John Sforza
V: 716-230-3516
E: jsforza@isrisk.net

[Non-text portions of this message have been removed]


Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 

This archive was generated by hypermail 2.1.2 : 2001-06-30 21:44:17 PDT