Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

5/25/2012
03:07 PM
50%
50%

Cutting The Lag Between Detection And Action

Detecting a threat does little good if the targeted company is not ready to respond. Security experts weigh in on ways to speed a business' response to threats

When companies detect a possible threat or vulnerability, determining what the impact may be and how to mitigate the threat is not so easy in today's complex networks.

In a simple environment, such questions are easy. But not so in the complex enterprise environment with hundreds of thousands of systems and hundreds of network security controls, such as access control lists, firewall rules, and intrusion-prevention systems, says Jody Brazil, president and chief technology officer for FireMon.

"Most organizations can't even answer the most basic, simple questions of what access is allowed through my network," he says. "So the idea of does the bad actor actually pose a threat to your organizations is a difficult question to answer."

Increasingly, companies are building more intelligence-response systems to turn the detection of possible threats into action. Automating the response cuts down on the time to respond as well.

Firewall management firm Firemon, for example, announced this week that it had integrated risk analysis with its firewall management system to allow the software to gauge the impact of certain filter rules on the network before deploying the rule. Information-technology contractor Computer Sciences Corp. has created a system that can be programmed with possible actions based on corporate security policy. Called Dynamic Adaptive Defense, the system will suggest responses to certain events and push them live, after approval.

"You can't deal with real-time machine-speed attacks unless you are responding in real time," says Bernie Thomas, cybersecurity practice lead at CSC. "The only time you can respond in real time as a human is if you've thought about these issues in advanced, and preplanned actions are they key."

Other companies are creating more integrated systems to bring detection and response together.

Do You Have What It Takes?
Companies first have to make sure they have the right systems to allow them to take action. Without a Web application firewall, intrusion-detection system, or endpoint-policy management, a company may detect an attack or a high-priority vulnerability, but still not be able to do anything, says Dan Kuykendall, co-CEO and chief technology officer of NT Objectives, an application testing and vulnerability-management firm.

"One of the first steps is to find out what defensive tools you have in place to help you mitigate the problem," he says. "And can you get the necessary people -- vendors or internal developers -- to help protect the system."

If an application-scanning system detects a vulnerability or a SIEM system pieces together signs of an attack, then the experts required to craft a defense should be on standby. Devising a strategy at the time of an attack, finding out that the company does not have the right technology, or trying to put together a response team will all slow down a company's ability to take action.

[ Not only does the state of firewall rules expose enterprises to undue risk, it inevitably throws the business out of compliance. See Poorly Managed Firewall Rule Sets Will Flag An Audit. ]

Many defensive technologies require rules, generally written as regular expressions. For security groups not used to working with the rule set, it's very difficult to craft an effective -- not to mention, correct -- rule.

"If people are not good at it -- and most people aren't [because] regular expressions are their own art -- it can be very difficult to craft a rule," Kuykendall says. "There is a lot that goes into it, including how you are going to prevent the attack without breaking good stuff."

Automate The Hard Stuff
In speeding up defenses, automating response is invaluable. But pushing a bad firewall rule or a poor signature live can have serious repercussions, Firemon's Brazil says.

"There are implications if you don't do this well," he says.

Many companies can help automate much of the process by using their community as a large detection network. When one customer detects a threat, the information goes up to the vendor's cloud service and is distributed quickly to its other customers.

Check Point Software recently announced an anti-botnet system that also shares data anonymously with the company through its threat community, ThreatCloud, allowing the system to protect its other customers.

"If we find one outbreak, that is shared with the ThreatCloud and then everyone that has one of our gateways is protected," he says.

Double Check And Be Able To Undo
To stop attacks, security technology has to be placed inline, which means that a bad rule or misconfiguration can break a company's network. For that reason, companies need to be able to test and double-check any changes to configuration files to stop ongoing attacks or eliminate possible attacks against known vulnerabilities, Emo says.

"If a security solution is out-of-band, a lot of damage can be done before you know anything is happening," he says. "But inline security has to be careful: Security can't interfere with business continuity."

In the end, foresight, the right technological automation, and the necessary experts can all help a company respond quickly.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32243
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).
CVE-2021-32244
PUBLISHED: 2021-06-16
Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description" field.
CVE-2021-32245
PUBLISHED: 2021-06-16
In PageKit v1.0.18, a user can upload SVG files in the file upload portion of the CMS. These SVG files can contain malicious scripts. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to "/storage/exp.svg" t...
CVE-2021-34201
PUBLISHED: 2021-06-16
D-Link DIR-2640-US 1.01B04 is vulnerable to Buffer Overflow. There are multiple out-of-bounds vulnerabilities in some processes of D-Link AC2600(DIR-2640). Local ordinary users can overwrite the global variables in the .bss section, causing the process crashes or changes.
CVE-2021-34203
PUBLISHED: 2021-06-16
D-Link DIR-2640-US 1.01B04 is vulnerable to Incorrect Access Control. Router ac2600 (dir-2640-us), when setting PPPoE, will start quagga process in the way of whole network monitoring, and this function uses the original default password and port. An attacker can easily use telnet to log in, modify ...