03:39 PM

Tech Insight: Getting The Big Picture On Your Security Situation

'Situational awareness' can make a dramatic difference in the efficiency of your incident response effort

A Special Analysis for Dark Reading

Bad economic times and budget cuts can lead good employees down the wrong path in trying to make ends meet. Combine this simple truth with a few targeted malware attacks and some smart, financially motivated attackers, and the critical need for enterprises to achieve true "situational awareness" for security becomes clear.

Situational awareness -- a term borrowed from the military -- means that security professionals, both managers and techies, have a keen understanding of their environments and the dependencies on them so they can fully assess the impact of a change or event. This includes human and technical resources, how they interact, the importance of each IT resource, the nature and value of the data that resides on each resource, and what threats they face.

Today's ever-changing technology creates new hurdles for security professionals in gaining this valuable awareness. For example, the nature of the environment is constantly altered by an increasingly mobile workforce bearing smartphones and laptops. Virtualization is an additional challenge because what was once one machine providing one or two services is now many virtual machines providing many more services. This makes the separation of logical and physical security domains cumbersome, if not downright impossible.

Obtaining full situational awareness is not an easy task, especially for large, geographically diverse organizations. But there are three steps, or processes, that can help security teams gain a better understanding of the environment they're protecting and prioritize the analysis of attacks and potential breaches:

  • The first step is having a thorough asset management system that can track all current versions of software, hardware, and other resources. While not glamorous, knowing where every IT resource is and what it's running can be critical during incident response. This is where a solution that includes a configuration management database (CMDB) and integrates into the software and inventory management life cycle can ease the pain of identifying which hosts are affected by an attack. Similar to having all packet data when analyzing IDS alerts, knowing what's running provides context to an attack and whether the system could have been exploited.

  • The second step is more obvious than the first: conducting a comprehensive risk assessment. Taking data from the first step, a thorough risk assessment of all assets needs to be conducted to understand what risks threaten the confidentiality, integrity, and availability of IT resources. Many times, an organization that performs a risk assessment will end up having to go back to Step 1 to figure out its assets and value before proceeding.

  • The final and most critical step is achieving full visibility throughout the enterprise network. It sounds easy -- until you consider such issues as remote sites on WAN links, mobile workers on VPNs, and virtual server farms. But visibility is even more important in complex environments, especially in virtualized environments where traffic regularly passes directly from virtual host to virtual host without ever traversing a physical network device. And once visibility is achieved, it needs to be leveraged to understand how hosts interact on the network with internal and external systems.

    Providing visibility into networks is an area where network behavior analysis products, such as those from Lancope and Mazu Networks, can help. They collect network flow data exported directly from the switches and routers, providing analysis through direct packet capture. A large part of their value is the ability to create baselines for hosts within your network so that you can detect anomalous behaviors, such as abnormal bandwidth usage, new hosts on the network, and new services offered from hosts that aren't normally servers.

    Even after the three steps are completed, situational awareness nirvana isn't necessarily guaranteed. Remember, each step is a process that must be continually refreshed as new hardware and software is purchased and upgraded. But the value gained from implementing each step will go directly toward helping security teams prioritize attack alerts and hone in on hosts that were running a certain software package, exposed to a particular threat, or affected by a correlated IDS event.

    Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

    Comment  | 
    Print  | 
    More Insights
  • Register for Dark Reading Newsletters
    White Papers
    Latest Comment: nice post
    Current Issue
    Flash Poll
    Threat Intel Today
    Threat Intel Today
    The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    Published: 2015-07-01
    Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

    Published: 2015-07-01
    Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

    Published: 2015-07-01
    Heap-based buffer overflow in libwmf allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

    Published: 2015-07-01
    unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

    Published: 2015-07-01
    IBM PowerVC Standard Edition through does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

    Dark Reading Radio
    Archived Dark Reading Radio
    Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report