Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

12:15 AM

Moving Safely From Detection To Automated Action

Companies that fail to make the most use of automation put themselves at risk, yet doing it wrong can lead to business disruptions

Many companies remain cautious of automating their security systems, leery of the possible business interruptions that could happen when a mistake gets propagated across their systems.

Yet, the complexity that the average information security manager or chief information-security officer has navigate means that automation is no longer an option, but a mandate, say security experts. Adding up the threats that need to be tracked, the vulnerabilities that must be mitigated, and the users that need to be cared for results in a stark calculus for the defenders, says Mike Lloyd, chief technology officer of RedSeal Networks, a network-management firm.

Companies that do not focus on automating their monitoring and response to incidents are likely missing threats to the their business, he says. While worries over automation are natural, they are placing defenders at a disadvantage because attackers have no qualms about multiplying their impact with automated programs and systems.

"The attackers have moved up to automated weaponry, while the defenders are still using bows and arrows," Lloyd says.

The distrust of automation is so pervasive that, despite the commoditization of intrusion prevention systems over the past decade, many companies continue to use their appliances to merely detect threats, he says.

Yet, automation done wrong can be worse than the threats. Bad things can happen when automation ends up propagating an error. Take the March incident that downed Internet load-balancing service CloudFlare for more than an hour. The company analysis of an on-going attack resulted in an odd router rule. Despite the fact that the rule attempted to filter out packets that could not exist on the Internet, an analyst pushed out the rule to every edge router. Making matters worse, the rule crashed the routers.

"What should have happened is that no packet should have matched that rule because no packet was actually that large," the company wrote in a March 3 post. "What happened instead is that the routers encountered the rule and then proceeded to consume all their RAM until they crashed."

Greater efficiency means more time for defense
Companies should start their automation efforts by looking for workflows that generate few false positives or errors, and automate those first. While such efforts may not directly result in a greater likelihood of detecting attackers, they will free up defenders to pursue other analyses and investigations, and so indirectly will strengthen defenses, says Dan Kuykendall, chief technology officer and co-CEO of NT OBJECTives, an application security firm.

"It is not just about automation, but about efficiency," he says. "If you are in a scenario where your scanner tells you that you have 20 or 30 vulnerabilities, sitting down and hand-writing filters is generally out of reach for most people. Having that automated piece is very efficient."

[With a federal agency deadline for Federal Information Security Management Act (FISMA) compliance reporting through the new automated tool already past, security experts believe the government still has a long way to go. See Continuous Monitoring Still A Long Way Off For The Feds.]

Overall, the degree of automation should depend on the accuracy of the detection systems: If the system produces a lot of false positives, then automation will likely be error-prone. In that case, having a human--or more than one expert--in the loop is necessary. Vulnerability scanners can automatically generate rules that can then be added to a network firewall or a Web application firewall, but the system's manager should review the response.

"When you observe something, you want to see that the accuracy is very high before automating the response," says Chris Petersen, chief technology officer and co-founder of log management firm LogRhythm, warning that "other security alerts, such as those resulting from behavioral analytics, are not going to be as concrete as that."

The level of oversight also depends on the action take in response. Blocking access to a public Web server is a serious measure, so a manager should sign off on the change. Responses to other types of alerts, such as disabling the account of a user from which suspicious activity has been detected, could be done automatically, says Petersen.

"The impact of a disabled account is relatively minor--the user may be unproductive for a couple of hours," he says.

Standardization is needed
Another road block to automating the response to threats is that detection systems and response systems do not typically speak the same language. Vulnerability management systems will likely list issues in the Common Vulnerability and Exposures (CVE) format, while intrusion prevention systems generally have a proprietary way of expressing vulnerabilities in terms of signatures, says RedSeal Networks' Lloyd.

"The industry is letting their customers down by not integrating their products well," he says.

Companies that are planning to tie systems together to better automate them should look at the Security Content Automation Protocol (SCAP), a standard developed by the U.S. National Institute of Standards and Technology for allowing interoperability between security devices.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/18/2013 | 11:21:31 PM
re: Moving Safely From Detection To Automated Action
Hi Robert, thanks for the insightful article. While many companies are hesitant to automate their security systems because of possible business interruptions in the event of a problem, the benefits of automatic security measures, such as identity and access management (IAM) solutions can save companies a lot of time and money associated with manually managing network security. Companies that manually monitor security measures are more likely to miss important threats and waste internal resources that could easily be taken care of with an automated solution.

Companies are starting to realize that it is not ok to be out of compliance 364 days of the year. Annual access certification is marginally better than doing nothing at all.
However, this approach can create a false sense of security by creating the illusion of compliance. Embedding controls into the business process, thereby preventing inappropriate access grants from occurring in the first place, creates a culture of continuous compliance and mitigates the burden of access certification.

With federal regulations like FISMA that require automated compliance reporting, companies should already be moving towards finding ways to automate IAM processes, even if they are hesitant to do so. These proactive steps can cut down operating costs and increase protection against noncompliance and other potential threats. IGd be interested to hear your thoughts on our approach: http://n8id.com/our-company/ov...
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...