Analytics //

Security Monitoring

5/25/2012
03:07 PM
50%
50%

Cutting The Lag Between Detection And Action

Detecting a threat does little good if the targeted company is not ready to respond. Security experts weigh in on ways to speed a business' response to threats

When companies detect a possible threat or vulnerability, determining what the impact may be and how to mitigate the threat is not so easy in today's complex networks.

In a simple environment, such questions are easy. But not so in the complex enterprise environment with hundreds of thousands of systems and hundreds of network security controls, such as access control lists, firewall rules, and intrusion-prevention systems, says Jody Brazil, president and chief technology officer for FireMon.

"Most organizations can't even answer the most basic, simple questions of what access is allowed through my network," he says. "So the idea of does the bad actor actually pose a threat to your organizations is a difficult question to answer."

Increasingly, companies are building more intelligence-response systems to turn the detection of possible threats into action. Automating the response cuts down on the time to respond as well.

Firewall management firm Firemon, for example, announced this week that it had integrated risk analysis with its firewall management system to allow the software to gauge the impact of certain filter rules on the network before deploying the rule. Information-technology contractor Computer Sciences Corp. has created a system that can be programmed with possible actions based on corporate security policy. Called Dynamic Adaptive Defense, the system will suggest responses to certain events and push them live, after approval.

"You can't deal with real-time machine-speed attacks unless you are responding in real time," says Bernie Thomas, cybersecurity practice lead at CSC. "The only time you can respond in real time as a human is if you've thought about these issues in advanced, and preplanned actions are they key."

Other companies are creating more integrated systems to bring detection and response together.

Do You Have What It Takes?
Companies first have to make sure they have the right systems to allow them to take action. Without a Web application firewall, intrusion-detection system, or endpoint-policy management, a company may detect an attack or a high-priority vulnerability, but still not be able to do anything, says Dan Kuykendall, co-CEO and chief technology officer of NT Objectives, an application testing and vulnerability-management firm.

"One of the first steps is to find out what defensive tools you have in place to help you mitigate the problem," he says. "And can you get the necessary people -- vendors or internal developers -- to help protect the system."

If an application-scanning system detects a vulnerability or a SIEM system pieces together signs of an attack, then the experts required to craft a defense should be on standby. Devising a strategy at the time of an attack, finding out that the company does not have the right technology, or trying to put together a response team will all slow down a company's ability to take action.

[ Not only does the state of firewall rules expose enterprises to undue risk, it inevitably throws the business out of compliance. See Poorly Managed Firewall Rule Sets Will Flag An Audit. ]

Many defensive technologies require rules, generally written as regular expressions. For security groups not used to working with the rule set, it's very difficult to craft an effective -- not to mention, correct -- rule.

"If people are not good at it -- and most people aren't [because] regular expressions are their own art -- it can be very difficult to craft a rule," Kuykendall says. "There is a lot that goes into it, including how you are going to prevent the attack without breaking good stuff."

Automate The Hard Stuff
In speeding up defenses, automating response is invaluable. But pushing a bad firewall rule or a poor signature live can have serious repercussions, Firemon's Brazil says.

"There are implications if you don't do this well," he says.

Many companies can help automate much of the process by using their community as a large detection network. When one customer detects a threat, the information goes up to the vendor's cloud service and is distributed quickly to its other customers.

Check Point Software recently announced an anti-botnet system that also shares data anonymously with the company through its threat community, ThreatCloud, allowing the system to protect its other customers.

"If we find one outbreak, that is shared with the ThreatCloud and then everyone that has one of our gateways is protected," he says.

Double Check And Be Able To Undo
To stop attacks, security technology has to be placed inline, which means that a bad rule or misconfiguration can break a company's network. For that reason, companies need to be able to test and double-check any changes to configuration files to stop ongoing attacks or eliminate possible attacks against known vulnerabilities, Emo says.

"If a security solution is out-of-band, a lot of damage can be done before you know anything is happening," he says. "But inline security has to be careful: Security can't interfere with business continuity."

In the end, foresight, the right technological automation, and the necessary experts can all help a company respond quickly.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9978
PUBLISHED: 2019-03-24
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
CVE-2019-9977
PUBLISHED: 2019-03-24
The renderer process in the entertainment system on Tesla Model 3 vehicles mishandles JIT compilation, which allows attackers to trigger firmware code execution, and display a crafted message to vehicle occupants.
CVE-2019-9962
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to VCRUNTIME140!memcpy.
CVE-2019-9963
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlFreeHeap.
CVE-2019-9964
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlpNtMakeTemporaryKey.