Analytics
1/16/2009
03:39 PM
Connect Directly
RSS
E-Mail
50%
50%

Tech Insight: Getting The Big Picture On Your Security Situation

'Situational awareness' can make a dramatic difference in the efficiency of your incident response effort

A Special Analysis for Dark Reading

Bad economic times and budget cuts can lead good employees down the wrong path in trying to make ends meet. Combine this simple truth with a few targeted malware attacks and some smart, financially motivated attackers, and the critical need for enterprises to achieve true "situational awareness" for security becomes clear.

Situational awareness -- a term borrowed from the military -- means that security professionals, both managers and techies, have a keen understanding of their environments and the dependencies on them so they can fully assess the impact of a change or event. This includes human and technical resources, how they interact, the importance of each IT resource, the nature and value of the data that resides on each resource, and what threats they face.

Today's ever-changing technology creates new hurdles for security professionals in gaining this valuable awareness. For example, the nature of the environment is constantly altered by an increasingly mobile workforce bearing smartphones and laptops. Virtualization is an additional challenge because what was once one machine providing one or two services is now many virtual machines providing many more services. This makes the separation of logical and physical security domains cumbersome, if not downright impossible.

Obtaining full situational awareness is not an easy task, especially for large, geographically diverse organizations. But there are three steps, or processes, that can help security teams gain a better understanding of the environment they're protecting and prioritize the analysis of attacks and potential breaches:

  • The first step is having a thorough asset management system that can track all current versions of software, hardware, and other resources. While not glamorous, knowing where every IT resource is and what it's running can be critical during incident response. This is where a solution that includes a configuration management database (CMDB) and integrates into the software and inventory management life cycle can ease the pain of identifying which hosts are affected by an attack. Similar to having all packet data when analyzing IDS alerts, knowing what's running provides context to an attack and whether the system could have been exploited.

  • The second step is more obvious than the first: conducting a comprehensive risk assessment. Taking data from the first step, a thorough risk assessment of all assets needs to be conducted to understand what risks threaten the confidentiality, integrity, and availability of IT resources. Many times, an organization that performs a risk assessment will end up having to go back to Step 1 to figure out its assets and value before proceeding.

  • The final and most critical step is achieving full visibility throughout the enterprise network. It sounds easy -- until you consider such issues as remote sites on WAN links, mobile workers on VPNs, and virtual server farms. But visibility is even more important in complex environments, especially in virtualized environments where traffic regularly passes directly from virtual host to virtual host without ever traversing a physical network device. And once visibility is achieved, it needs to be leveraged to understand how hosts interact on the network with internal and external systems.

    Providing visibility into networks is an area where network behavior analysis products, such as those from Lancope and Mazu Networks, can help. They collect network flow data exported directly from the switches and routers, providing analysis through direct packet capture. A large part of their value is the ability to create baselines for hosts within your network so that you can detect anomalous behaviors, such as abnormal bandwidth usage, new hosts on the network, and new services offered from hosts that aren't normally servers.

    Even after the three steps are completed, situational awareness nirvana isn't necessarily guaranteed. Remember, each step is a process that must be continually refreshed as new hardware and software is purchased and upgraded. But the value gained from implementing each step will go directly toward helping security teams prioritize attack alerts and hone in on hosts that were running a certain software package, exposed to a particular threat, or affected by a correlated IDS event.

    Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

    Comment  | 
    Print  | 
    More Insights
  • Register for Dark Reading Newsletters
    White Papers
    Cartoon
    Current Issue
    Dark Reading Must Reads - September 25, 2014
    Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
    Flash Poll
    Threat Intel Today
    Threat Intel Today
    The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
    Video
    Slideshows
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2014-6278
    Published: 2014-09-30
    GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and m...

    CVE-2014-6805
    Published: 2014-09-30
    The weibo (aka magic.weibo) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

    CVE-2014-6806
    Published: 2014-09-30
    The Thanodi - Setswana Translator (aka com.thanodi.thanodi) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

    CVE-2014-6807
    Published: 2014-09-30
    The OLA School (aka com.conduit.app_00f9890a4f0145f2aae9d714e20b273a.app) application 1.2.7.132 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

    CVE-2014-6808
    Published: 2014-09-30
    The Active 24 (aka com.zentity.app.active24) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

    Best of the Web
    Dark Reading Radio
    Archived Dark Reading Radio
    In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.