Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

5/25/2012
03:07 PM
50%
50%

Cutting The Lag Between Detection And Action

Detecting a threat does little good if the targeted company is not ready to respond. Security experts weigh in on ways to speed a business' response to threats

When companies detect a possible threat or vulnerability, determining what the impact may be and how to mitigate the threat is not so easy in today's complex networks.

In a simple environment, such questions are easy. But not so in the complex enterprise environment with hundreds of thousands of systems and hundreds of network security controls, such as access control lists, firewall rules, and intrusion-prevention systems, says Jody Brazil, president and chief technology officer for FireMon.

"Most organizations can't even answer the most basic, simple questions of what access is allowed through my network," he says. "So the idea of does the bad actor actually pose a threat to your organizations is a difficult question to answer."

Increasingly, companies are building more intelligence-response systems to turn the detection of possible threats into action. Automating the response cuts down on the time to respond as well.

Firewall management firm Firemon, for example, announced this week that it had integrated risk analysis with its firewall management system to allow the software to gauge the impact of certain filter rules on the network before deploying the rule. Information-technology contractor Computer Sciences Corp. has created a system that can be programmed with possible actions based on corporate security policy. Called Dynamic Adaptive Defense, the system will suggest responses to certain events and push them live, after approval.

"You can't deal with real-time machine-speed attacks unless you are responding in real time," says Bernie Thomas, cybersecurity practice lead at CSC. "The only time you can respond in real time as a human is if you've thought about these issues in advanced, and preplanned actions are they key."

Other companies are creating more integrated systems to bring detection and response together.

Do You Have What It Takes?
Companies first have to make sure they have the right systems to allow them to take action. Without a Web application firewall, intrusion-detection system, or endpoint-policy management, a company may detect an attack or a high-priority vulnerability, but still not be able to do anything, says Dan Kuykendall, co-CEO and chief technology officer of NT Objectives, an application testing and vulnerability-management firm.

"One of the first steps is to find out what defensive tools you have in place to help you mitigate the problem," he says. "And can you get the necessary people -- vendors or internal developers -- to help protect the system."

If an application-scanning system detects a vulnerability or a SIEM system pieces together signs of an attack, then the experts required to craft a defense should be on standby. Devising a strategy at the time of an attack, finding out that the company does not have the right technology, or trying to put together a response team will all slow down a company's ability to take action.

[ Not only does the state of firewall rules expose enterprises to undue risk, it inevitably throws the business out of compliance. See Poorly Managed Firewall Rule Sets Will Flag An Audit. ]

Many defensive technologies require rules, generally written as regular expressions. For security groups not used to working with the rule set, it's very difficult to craft an effective -- not to mention, correct -- rule.

"If people are not good at it -- and most people aren't [because] regular expressions are their own art -- it can be very difficult to craft a rule," Kuykendall says. "There is a lot that goes into it, including how you are going to prevent the attack without breaking good stuff."

Automate The Hard Stuff
In speeding up defenses, automating response is invaluable. But pushing a bad firewall rule or a poor signature live can have serious repercussions, Firemon's Brazil says.

"There are implications if you don't do this well," he says.

Many companies can help automate much of the process by using their community as a large detection network. When one customer detects a threat, the information goes up to the vendor's cloud service and is distributed quickly to its other customers.

Check Point Software recently announced an anti-botnet system that also shares data anonymously with the company through its threat community, ThreatCloud, allowing the system to protect its other customers.

"If we find one outbreak, that is shared with the ThreatCloud and then everyone that has one of our gateways is protected," he says.

Double Check And Be Able To Undo
To stop attacks, security technology has to be placed inline, which means that a bad rule or misconfiguration can break a company's network. For that reason, companies need to be able to test and double-check any changes to configuration files to stop ongoing attacks or eliminate possible attacks against known vulnerabilities, Emo says.

"If a security solution is out-of-band, a lot of damage can be done before you know anything is happening," he says. "But inline security has to be careful: Security can't interfere with business continuity."

In the end, foresight, the right technological automation, and the necessary experts can all help a company respond quickly.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7343
PUBLISHED: 2021-01-18
Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.
CVE-2020-28476
PUBLISHED: 2021-01-18
All versions of package tornado are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configura...
CVE-2020-28473
PUBLISHED: 2021-01-18
The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with defa...
CVE-2021-25173
PUBLISHED: 2021-01-18
An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory allocation with excessive size vulnerability exists when reading malformed DGN files, which allows attackers to cause a crash, potentially enabling denial of service (crash, exit, or restart).
CVE-2021-25174
PUBLISHED: 2021-01-18
An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory corruption vulnerability exists when reading malformed DGN files. It can allow attackers to cause a crash, potentially enabling denial of service (Crash, Exit, or Restart).