Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

5/25/2012
03:07 PM
50%
50%

Cutting The Lag Between Detection And Action

Detecting a threat does little good if the targeted company is not ready to respond. Security experts weigh in on ways to speed a business' response to threats

When companies detect a possible threat or vulnerability, determining what the impact may be and how to mitigate the threat is not so easy in today's complex networks.

In a simple environment, such questions are easy. But not so in the complex enterprise environment with hundreds of thousands of systems and hundreds of network security controls, such as access control lists, firewall rules, and intrusion-prevention systems, says Jody Brazil, president and chief technology officer for FireMon.

"Most organizations can't even answer the most basic, simple questions of what access is allowed through my network," he says. "So the idea of does the bad actor actually pose a threat to your organizations is a difficult question to answer."

Increasingly, companies are building more intelligence-response systems to turn the detection of possible threats into action. Automating the response cuts down on the time to respond as well.

Firewall management firm Firemon, for example, announced this week that it had integrated risk analysis with its firewall management system to allow the software to gauge the impact of certain filter rules on the network before deploying the rule. Information-technology contractor Computer Sciences Corp. has created a system that can be programmed with possible actions based on corporate security policy. Called Dynamic Adaptive Defense, the system will suggest responses to certain events and push them live, after approval.

"You can't deal with real-time machine-speed attacks unless you are responding in real time," says Bernie Thomas, cybersecurity practice lead at CSC. "The only time you can respond in real time as a human is if you've thought about these issues in advanced, and preplanned actions are they key."

Other companies are creating more integrated systems to bring detection and response together.

Do You Have What It Takes?
Companies first have to make sure they have the right systems to allow them to take action. Without a Web application firewall, intrusion-detection system, or endpoint-policy management, a company may detect an attack or a high-priority vulnerability, but still not be able to do anything, says Dan Kuykendall, co-CEO and chief technology officer of NT Objectives, an application testing and vulnerability-management firm.

"One of the first steps is to find out what defensive tools you have in place to help you mitigate the problem," he says. "And can you get the necessary people -- vendors or internal developers -- to help protect the system."

If an application-scanning system detects a vulnerability or a SIEM system pieces together signs of an attack, then the experts required to craft a defense should be on standby. Devising a strategy at the time of an attack, finding out that the company does not have the right technology, or trying to put together a response team will all slow down a company's ability to take action.

[ Not only does the state of firewall rules expose enterprises to undue risk, it inevitably throws the business out of compliance. See Poorly Managed Firewall Rule Sets Will Flag An Audit. ]

Many defensive technologies require rules, generally written as regular expressions. For security groups not used to working with the rule set, it's very difficult to craft an effective -- not to mention, correct -- rule.

"If people are not good at it -- and most people aren't [because] regular expressions are their own art -- it can be very difficult to craft a rule," Kuykendall says. "There is a lot that goes into it, including how you are going to prevent the attack without breaking good stuff."

Automate The Hard Stuff
In speeding up defenses, automating response is invaluable. But pushing a bad firewall rule or a poor signature live can have serious repercussions, Firemon's Brazil says.

"There are implications if you don't do this well," he says.

Many companies can help automate much of the process by using their community as a large detection network. When one customer detects a threat, the information goes up to the vendor's cloud service and is distributed quickly to its other customers.

Check Point Software recently announced an anti-botnet system that also shares data anonymously with the company through its threat community, ThreatCloud, allowing the system to protect its other customers.

"If we find one outbreak, that is shared with the ThreatCloud and then everyone that has one of our gateways is protected," he says.

Double Check And Be Able To Undo
To stop attacks, security technology has to be placed inline, which means that a bad rule or misconfiguration can break a company's network. For that reason, companies need to be able to test and double-check any changes to configuration files to stop ongoing attacks or eliminate possible attacks against known vulnerabilities, Emo says.

"If a security solution is out-of-band, a lot of damage can be done before you know anything is happening," he says. "But inline security has to be careful: Security can't interfere with business continuity."

In the end, foresight, the right technological automation, and the necessary experts can all help a company respond quickly.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cybersecurity Team Holiday Guide: 2019 Gag Gift Edition
Ericka Chickowski, Contributing Writer,  12/2/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19647
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
CVE-2019-19648
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.