Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

12:15 AM

Moving Safely From Detection To Automated Action

Companies that fail to make the most use of automation put themselves at risk, yet doing it wrong can lead to business disruptions

Many companies remain cautious of automating their security systems, leery of the possible business interruptions that could happen when a mistake gets propagated across their systems.

Yet, the complexity that the average information security manager or chief information-security officer has navigate means that automation is no longer an option, but a mandate, say security experts. Adding up the threats that need to be tracked, the vulnerabilities that must be mitigated, and the users that need to be cared for results in a stark calculus for the defenders, says Mike Lloyd, chief technology officer of RedSeal Networks, a network-management firm.

Companies that do not focus on automating their monitoring and response to incidents are likely missing threats to the their business, he says. While worries over automation are natural, they are placing defenders at a disadvantage because attackers have no qualms about multiplying their impact with automated programs and systems.

"The attackers have moved up to automated weaponry, while the defenders are still using bows and arrows," Lloyd says.

The distrust of automation is so pervasive that, despite the commoditization of intrusion prevention systems over the past decade, many companies continue to use their appliances to merely detect threats, he says.

Yet, automation done wrong can be worse than the threats. Bad things can happen when automation ends up propagating an error. Take the March incident that downed Internet load-balancing service CloudFlare for more than an hour. The company analysis of an on-going attack resulted in an odd router rule. Despite the fact that the rule attempted to filter out packets that could not exist on the Internet, an analyst pushed out the rule to every edge router. Making matters worse, the rule crashed the routers.

"What should have happened is that no packet should have matched that rule because no packet was actually that large," the company wrote in a March 3 post. "What happened instead is that the routers encountered the rule and then proceeded to consume all their RAM until they crashed."

Greater efficiency means more time for defense
Companies should start their automation efforts by looking for workflows that generate few false positives or errors, and automate those first. While such efforts may not directly result in a greater likelihood of detecting attackers, they will free up defenders to pursue other analyses and investigations, and so indirectly will strengthen defenses, says Dan Kuykendall, chief technology officer and co-CEO of NT OBJECTives, an application security firm.

"It is not just about automation, but about efficiency," he says. "If you are in a scenario where your scanner tells you that you have 20 or 30 vulnerabilities, sitting down and hand-writing filters is generally out of reach for most people. Having that automated piece is very efficient."

[With a federal agency deadline for Federal Information Security Management Act (FISMA) compliance reporting through the new automated tool already past, security experts believe the government still has a long way to go. See Continuous Monitoring Still A Long Way Off For The Feds.]

Overall, the degree of automation should depend on the accuracy of the detection systems: If the system produces a lot of false positives, then automation will likely be error-prone. In that case, having a human--or more than one expert--in the loop is necessary. Vulnerability scanners can automatically generate rules that can then be added to a network firewall or a Web application firewall, but the system's manager should review the response.

"When you observe something, you want to see that the accuracy is very high before automating the response," says Chris Petersen, chief technology officer and co-founder of log management firm LogRhythm, warning that "other security alerts, such as those resulting from behavioral analytics, are not going to be as concrete as that."

The level of oversight also depends on the action take in response. Blocking access to a public Web server is a serious measure, so a manager should sign off on the change. Responses to other types of alerts, such as disabling the account of a user from which suspicious activity has been detected, could be done automatically, says Petersen.

"The impact of a disabled account is relatively minor--the user may be unproductive for a couple of hours," he says.

Standardization is needed
Another road block to automating the response to threats is that detection systems and response systems do not typically speak the same language. Vulnerability management systems will likely list issues in the Common Vulnerability and Exposures (CVE) format, while intrusion prevention systems generally have a proprietary way of expressing vulnerabilities in terms of signatures, says RedSeal Networks' Lloyd.

"The industry is letting their customers down by not integrating their products well," he says.

Companies that are planning to tie systems together to better automate them should look at the Security Content Automation Protocol (SCAP), a standard developed by the U.S. National Institute of Standards and Technology for allowing interoperability between security devices.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/18/2013 | 11:21:31 PM
re: Moving Safely From Detection To Automated Action
Hi Robert, thanks for the insightful article. While many companies are hesitant to automate their security systems because of possible business interruptions in the event of a problem, the benefits of automatic security measures, such as identity and access management (IAM) solutions can save companies a lot of time and money associated with manually managing network security. Companies that manually monitor security measures are more likely to miss important threats and waste internal resources that could easily be taken care of with an automated solution.

Companies are starting to realize that it is not ok to be out of compliance 364 days of the year. Annual access certification is marginally better than doing nothing at all.
However, this approach can create a false sense of security by creating the illusion of compliance. Embedding controls into the business process, thereby preventing inappropriate access grants from occurring in the first place, creates a culture of continuous compliance and mitigates the burden of access certification.

With federal regulations like FISMA that require automated compliance reporting, companies should already be moving towards finding ways to automate IAM processes, even if they are hesitant to do so. These proactive steps can cut down operating costs and increase protection against noncompliance and other potential threats. IGd be interested to hear your thoughts on our approach: http://n8id.com/our-company/ov...
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.