Analytics
1/16/2009
03:39 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Tech Insight: Getting The Big Picture On Your Security Situation

'Situational awareness' can make a dramatic difference in the efficiency of your incident response effort

A Special Analysis for Dark Reading

Bad economic times and budget cuts can lead good employees down the wrong path in trying to make ends meet. Combine this simple truth with a few targeted malware attacks and some smart, financially motivated attackers, and the critical need for enterprises to achieve true "situational awareness" for security becomes clear.

Situational awareness -- a term borrowed from the military -- means that security professionals, both managers and techies, have a keen understanding of their environments and the dependencies on them so they can fully assess the impact of a change or event. This includes human and technical resources, how they interact, the importance of each IT resource, the nature and value of the data that resides on each resource, and what threats they face.

Today's ever-changing technology creates new hurdles for security professionals in gaining this valuable awareness. For example, the nature of the environment is constantly altered by an increasingly mobile workforce bearing smartphones and laptops. Virtualization is an additional challenge because what was once one machine providing one or two services is now many virtual machines providing many more services. This makes the separation of logical and physical security domains cumbersome, if not downright impossible.

Obtaining full situational awareness is not an easy task, especially for large, geographically diverse organizations. But there are three steps, or processes, that can help security teams gain a better understanding of the environment they're protecting and prioritize the analysis of attacks and potential breaches:

  • The first step is having a thorough asset management system that can track all current versions of software, hardware, and other resources. While not glamorous, knowing where every IT resource is and what it's running can be critical during incident response. This is where a solution that includes a configuration management database (CMDB) and integrates into the software and inventory management life cycle can ease the pain of identifying which hosts are affected by an attack. Similar to having all packet data when analyzing IDS alerts, knowing what's running provides context to an attack and whether the system could have been exploited.

  • The second step is more obvious than the first: conducting a comprehensive risk assessment. Taking data from the first step, a thorough risk assessment of all assets needs to be conducted to understand what risks threaten the confidentiality, integrity, and availability of IT resources. Many times, an organization that performs a risk assessment will end up having to go back to Step 1 to figure out its assets and value before proceeding.

  • The final and most critical step is achieving full visibility throughout the enterprise network. It sounds easy -- until you consider such issues as remote sites on WAN links, mobile workers on VPNs, and virtual server farms. But visibility is even more important in complex environments, especially in virtualized environments where traffic regularly passes directly from virtual host to virtual host without ever traversing a physical network device. And once visibility is achieved, it needs to be leveraged to understand how hosts interact on the network with internal and external systems.

    Providing visibility into networks is an area where network behavior analysis products, such as those from Lancope and Mazu Networks, can help. They collect network flow data exported directly from the switches and routers, providing analysis through direct packet capture. A large part of their value is the ability to create baselines for hosts within your network so that you can detect anomalous behaviors, such as abnormal bandwidth usage, new hosts on the network, and new services offered from hosts that aren't normally servers.

    Even after the three steps are completed, situational awareness nirvana isn't necessarily guaranteed. Remember, each step is a process that must be continually refreshed as new hardware and software is purchased and upgraded. But the value gained from implementing each step will go directly toward helping security teams prioritize attack alerts and hone in on hosts that were running a certain software package, exposed to a particular threat, or affected by a correlated IDS event.

    Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

    Comment  | 
    Print  | 
    More Insights
  • Register for Dark Reading Newsletters
    White Papers
    Cartoon
    Current Issue
    Video
    Slideshows
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2014-2391
    Published: 2014-04-24
    The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

    CVE-2014-2392
    Published: 2014-04-24
    The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

    CVE-2014-2393
    Published: 2014-04-24
    Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite 7.4.1 before 7.4.1-rev11 and 7.4.2 before 7.4.2-rev13 allows remote attackers to inject arbitrary web script or HTML via a Drive filename that is not properly handled during use of the composer to add an e-mail attachment.

    CVE-2011-5279
    Published: 2014-04-23
    CRLF injection vulnerability in the CGI implementation in Microsoft Internet Information Services (IIS) 4.x and 5.x on Windows NT and Windows 2000 allows remote attackers to modify arbitrary uppercase environment variables via a \n (newline) character in an HTTP header.

    CVE-2012-0360
    Published: 2014-04-23
    Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

    Best of the Web