Adjusting Your Baseline

I went to the doctor the other day and she noted that my numbers were a little higher than last year.  I asked, “Hey Doc, should I be concerned?”  “Not really”, she said.  She then went on to explain that as humans age, the numbers will shift to reflect the differences in our body.  Aha! That explains why I can’t do pushups on my thumbs anymore! It made perfect, if not depressing, sense.

We all know that everything ages, and in InfoSec, things age at a faster speed than most.  We are not talking “dog years” here.  We are talking tech years.  The baselines that you took for a system or an enterprise last year are all probably approaching ancient history. 

What are we to do when things are so rapidly changing? 

One solution that I find very useful is to track things more closely so that the change in the baseline doesn’t make your heart skip a beat.

Perhaps your original baseline appeared somewhere between the 300 and 400 range of whatever you are measuring.

A year later, when you return to check your baseline, the numbers have jumped considerably.

Medic!

These numbers look alarming, but if you are tracking the numbers continuously, rather than periodically, you would see more of a trend, rather than a spike.

Over time, as your graph grows, you can see more of a periodic slope that probably better represents the monitored activity.  Here is a more complete view of the two events shown above.

As you can see, this is a much less nerve-jarring picture than the two periodic snapshots.

Of course, your ability to continuously track these things depends on what you are tracking, as well as other factors, such as competing priorities and workload.  

This is where you must choose the items based on volatility.  For example, should bandwidth use tracking be an every-day event? If you are a SysAdmin, probably not, as a SysAdmin derives knowledge by viewing what is occurring over an extended period of time, so a weekly summary may be perfectly adequate to get a sense of how usage is changing.  However, if you are an InfoSec professional, you may be more concerned with daily spikes in activity, which, amongst other things could indicate data exfiltration.

A capacity planner may be interested in an annual count of new and expired identities on the system, however, the InfoSec team is going to be very suspicious if a high number of accounts are added or removed over the course of a few days.

One problem that many auditors have is that these trends are not hard and fast numbers.  I recall the words of an investment professional when someone asked about the financial market.  “It’s a barometer, not a thermometer.” 

By tracking various activities at appropriate intervals, you can see what is changing in your environment at a sane level.  Know your baseline, but adjust it as required. Alarms may go off, and that is why you are doing what you do. Overall, if there are no emergencies, you can see if the patient is healthy and growing, or, in my personal case, simply aging. Age gracefully!