Analytics
1/16/2009
03:39 PM
50%
50%

Tech Insight: Getting The Big Picture On Your Security Situation

'Situational awareness' can make a dramatic difference in the efficiency of your incident response effort

A Special Analysis for Dark Reading

Bad economic times and budget cuts can lead good employees down the wrong path in trying to make ends meet. Combine this simple truth with a few targeted malware attacks and some smart, financially motivated attackers, and the critical need for enterprises to achieve true "situational awareness" for security becomes clear.

Situational awareness -- a term borrowed from the military -- means that security professionals, both managers and techies, have a keen understanding of their environments and the dependencies on them so they can fully assess the impact of a change or event. This includes human and technical resources, how they interact, the importance of each IT resource, the nature and value of the data that resides on each resource, and what threats they face.

Today's ever-changing technology creates new hurdles for security professionals in gaining this valuable awareness. For example, the nature of the environment is constantly altered by an increasingly mobile workforce bearing smartphones and laptops. Virtualization is an additional challenge because what was once one machine providing one or two services is now many virtual machines providing many more services. This makes the separation of logical and physical security domains cumbersome, if not downright impossible.

Obtaining full situational awareness is not an easy task, especially for large, geographically diverse organizations. But there are three steps, or processes, that can help security teams gain a better understanding of the environment they're protecting and prioritize the analysis of attacks and potential breaches:

  • The first step is having a thorough asset management system that can track all current versions of software, hardware, and other resources. While not glamorous, knowing where every IT resource is and what it's running can be critical during incident response. This is where a solution that includes a configuration management database (CMDB) and integrates into the software and inventory management life cycle can ease the pain of identifying which hosts are affected by an attack. Similar to having all packet data when analyzing IDS alerts, knowing what's running provides context to an attack and whether the system could have been exploited.

  • The second step is more obvious than the first: conducting a comprehensive risk assessment. Taking data from the first step, a thorough risk assessment of all assets needs to be conducted to understand what risks threaten the confidentiality, integrity, and availability of IT resources. Many times, an organization that performs a risk assessment will end up having to go back to Step 1 to figure out its assets and value before proceeding.

  • The final and most critical step is achieving full visibility throughout the enterprise network. It sounds easy -- until you consider such issues as remote sites on WAN links, mobile workers on VPNs, and virtual server farms. But visibility is even more important in complex environments, especially in virtualized environments where traffic regularly passes directly from virtual host to virtual host without ever traversing a physical network device. And once visibility is achieved, it needs to be leveraged to understand how hosts interact on the network with internal and external systems.

    Providing visibility into networks is an area where network behavior analysis products, such as those from Lancope and Mazu Networks, can help. They collect network flow data exported directly from the switches and routers, providing analysis through direct packet capture. A large part of their value is the ability to create baselines for hosts within your network so that you can detect anomalous behaviors, such as abnormal bandwidth usage, new hosts on the network, and new services offered from hosts that aren't normally servers.

    Even after the three steps are completed, situational awareness nirvana isn't necessarily guaranteed. Remember, each step is a process that must be continually refreshed as new hardware and software is purchased and upgraded. But the value gained from implementing each step will go directly toward helping security teams prioritize attack alerts and hone in on hosts that were running a certain software package, exposed to a particular threat, or affected by a correlated IDS event.

    Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

    Comment  | 
    Print  | 
    More Insights
  • Register for Dark Reading Newsletters
    White Papers
    Cartoon
    Current Issue
    Flash Poll
    Threat Intel Today
    Threat Intel Today
    The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
    Video
    Slideshows
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2015-0750
    Published: 2015-05-22
    The administrative web interface in Cisco Hosted Collaboration Solution (HCS) 10.6(1) and earlier allows remote authenticated users to execute arbitrary commands via crafted input to unspecified fields, aka Bug ID CSCut02786.

    CVE-2012-1978
    Published: 2015-05-21
    Multiple cross-site request forgery (CSRF) vulnerabilities in Simple PHP Agenda 2.2.8 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator via a request to auth/process.php, (2) delete an administrator via a request to auth/admi...

    CVE-2015-0741
    Published: 2015-05-21
    Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco Prime Central for Hosted Collaboration Solution (PC4HCS) 10.6(1) and earlier allow remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCut04596.

    CVE-2015-0742
    Published: 2015-05-21
    The Protocol Independent Multicast (PIM) application in Cisco Adaptive Security Appliance (ASA) Software 9.2(0.0), 9.2(0.104), 9.2(3.1), 9.2(3.4), 9.3(1.105), 9.3(2.100), 9.4(0.115), 100.13(0.21), 100.13(20.3), 100.13(21.9), and 100.14(1.1) does not properly implement multicast-forwarding registrati...

    CVE-2015-0746
    Published: 2015-05-21
    The REST API in Cisco Access Control Server (ACS) 5.5(0.46.2) allows remote attackers to cause a denial of service (API outage) by sending many requests, aka Bug ID CSCut62022.

    Dark Reading Radio
    Archived Dark Reading Radio
    Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.