Analytics //

Security Monitoring

5/25/2012
03:07 PM
50%
50%

Cutting The Lag Between Detection And Action

Detecting a threat does little good if the targeted company is not ready to respond. Security experts weigh in on ways to speed a business' response to threats

When companies detect a possible threat or vulnerability, determining what the impact may be and how to mitigate the threat is not so easy in today's complex networks.

In a simple environment, such questions are easy. But not so in the complex enterprise environment with hundreds of thousands of systems and hundreds of network security controls, such as access control lists, firewall rules, and intrusion-prevention systems, says Jody Brazil, president and chief technology officer for FireMon.

"Most organizations can't even answer the most basic, simple questions of what access is allowed through my network," he says. "So the idea of does the bad actor actually pose a threat to your organizations is a difficult question to answer."

Increasingly, companies are building more intelligence-response systems to turn the detection of possible threats into action. Automating the response cuts down on the time to respond as well.

Firewall management firm Firemon, for example, announced this week that it had integrated risk analysis with its firewall management system to allow the software to gauge the impact of certain filter rules on the network before deploying the rule. Information-technology contractor Computer Sciences Corp. has created a system that can be programmed with possible actions based on corporate security policy. Called Dynamic Adaptive Defense, the system will suggest responses to certain events and push them live, after approval.

"You can't deal with real-time machine-speed attacks unless you are responding in real time," says Bernie Thomas, cybersecurity practice lead at CSC. "The only time you can respond in real time as a human is if you've thought about these issues in advanced, and preplanned actions are they key."

Other companies are creating more integrated systems to bring detection and response together.

Do You Have What It Takes?
Companies first have to make sure they have the right systems to allow them to take action. Without a Web application firewall, intrusion-detection system, or endpoint-policy management, a company may detect an attack or a high-priority vulnerability, but still not be able to do anything, says Dan Kuykendall, co-CEO and chief technology officer of NT Objectives, an application testing and vulnerability-management firm.

"One of the first steps is to find out what defensive tools you have in place to help you mitigate the problem," he says. "And can you get the necessary people -- vendors or internal developers -- to help protect the system."

If an application-scanning system detects a vulnerability or a SIEM system pieces together signs of an attack, then the experts required to craft a defense should be on standby. Devising a strategy at the time of an attack, finding out that the company does not have the right technology, or trying to put together a response team will all slow down a company's ability to take action.

[ Not only does the state of firewall rules expose enterprises to undue risk, it inevitably throws the business out of compliance. See Poorly Managed Firewall Rule Sets Will Flag An Audit. ]

Many defensive technologies require rules, generally written as regular expressions. For security groups not used to working with the rule set, it's very difficult to craft an effective -- not to mention, correct -- rule.

"If people are not good at it -- and most people aren't [because] regular expressions are their own art -- it can be very difficult to craft a rule," Kuykendall says. "There is a lot that goes into it, including how you are going to prevent the attack without breaking good stuff."

Automate The Hard Stuff
In speeding up defenses, automating response is invaluable. But pushing a bad firewall rule or a poor signature live can have serious repercussions, Firemon's Brazil says.

"There are implications if you don't do this well," he says.

Many companies can help automate much of the process by using their community as a large detection network. When one customer detects a threat, the information goes up to the vendor's cloud service and is distributed quickly to its other customers.

Check Point Software recently announced an anti-botnet system that also shares data anonymously with the company through its threat community, ThreatCloud, allowing the system to protect its other customers.

"If we find one outbreak, that is shared with the ThreatCloud and then everyone that has one of our gateways is protected," he says.

Double Check And Be Able To Undo
To stop attacks, security technology has to be placed inline, which means that a bad rule or misconfiguration can break a company's network. For that reason, companies need to be able to test and double-check any changes to configuration files to stop ongoing attacks or eliminate possible attacks against known vulnerabilities, Emo says.

"If a security solution is out-of-band, a lot of damage can be done before you know anything is happening," he says. "But inline security has to be careful: Security can't interfere with business continuity."

In the end, foresight, the right technological automation, and the necessary experts can all help a company respond quickly.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.