• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
"Take back your security infrastructure" 
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFAWRITTEN: 2004
DISCLAIMER
:Security is a rapidly changing field of human endeavor. Threats we face literally changeevery day; moreover, many security professionals consider the rate of change to beaccelerating. On top of that, to be able to stay in touch with such ever-changing reality,one has to evolve with the space as well. Thus, even though I hope that this document willbe useful for to my readers, please keep in mind that is was possibly written years ago.Also, keep in mind that some of the URL might have gone 404, please Google around.
This paper discusses the question of optimizing security decisions in an organization, based on theinformation provided by the technical security infrastructure.Imagine you work for one of those companies where information security is taken seriously, senior management support is for granted, the appropriate IT defenses are deployed and users are educated onthe security policy (a security utopia, no less). Firewalls are humming along, intrusion detection systems areinstalled and incident response team is trained and ready for action. This goes a long way towards creatinga more secure enterprise computing environment.In this context, lets look at it from the prevention-detection-response model. Prevention is mostly likelyhandled by the combination of organization’s firewalls, intrusion prevention devices, vulnerability scanningas well as hardened hosts and applications. Apparently, intrusion detection systems seek to providedetection, while a team of experts armed with forensic and other investigative tools provides response.Admittedly, the above picture is a grand simplification, but the separation between prevention, detection andresponse is still artificial to a large degree. Firewalls greatly help in detection by providing logs of allowedand denied connections, IDS can be configured to respond to incidents automatically and securityprofessionals are at the core of all three components.The above complex interplay between prevention detection and response is further complicated by thecontinuous decision making process: 'what to respond to?', 'how to prevent catastrophic loss?', ‘do I careabout this thing I just detected’, etc. Such decisions are based on the information provided by the securityinfrastructure components. Paradoxically, the more technical security defenses one deploys, the morefirewalls are blocking messages, the more detection systems are sending alerts, the harder it is to make theright decisions about how to react. Volume and obscurity of the information emanated by the securityinfrastructure contribute to such difficulties. And at some moment, the question of trying to predict what firewill flare next (or, “being proactive” in marketspeak) will come up.What are the common options for optimizing the security decisions made by the company security decision-makers? The security information flow needs to be converted into a decision. The attempts to create a fullyautomated solution for making such a decision, some even based on artificial intelligence, have not yetreached a commercially viable stage. The problem is thus to create a system to reduce the informationdeluge sufficiently and then to provide some guidance to the system's human operators in order to make theright security decision. Notice, that does not preclude a certain degree of automation.In addition to facilitating decision-making in case of a security event (defined as a single communicationinstance from a security device) or an incident (defined as a confirmed attempted intrusion or other attack or discovered abuse), reducing the information flow is required for implementing security benchmarks andmetrics. Assessing the effectiveness of deployed security controls is an extremely valuable part of anorganization security program. Such an assessment can be used to calculate a security Return OnInvestment (ROI or ROSI) and to enable other methods for marrying security and business needs.
 
The commonly utilized scenarios that occur can be loosely categorized as such:
install-and-forget, don’t look at the information, avoid decisions (unfortunately, all too common),
manual data reduction or, reliance on a particular person to extract and analyze the meaningful auditrecords
in-house automation tools such as scripts and utilities aimed at processing the information flowLet us briefly look at advantages and disadvantages of the above methods.Is there a chance that that the first approach - deploying and leaving the security infrastructure unsupervised- has a business justification? Indeed, some people do drive their cars without mandatory car insurance, butcompanies are unlikely to be moved by the same reasons that motivate the reckless drivers. Most of the CSImembers have probably heard that 'Having a firewall does not provide 100% security' many times. In fact, 0-day (i.e. previously unpublished and unknown to software vendor) exploits and new vulnerabilities areoverall less of a threat, than the company own employees. Technology solutions are rarely effective againstsocial and human problems, such as malicious insiders or those duped by social engineering attacks.Advanced firewalls can probably be made to mitigate the threat from new exploits, but not from the firewalladministrators' mistakes and deliberate tampering from the inside of the protected perimeter. In addition,total lack of feedback on security technology performance will prevent a company from taking a proactivestance against new threats and adjusting its defenses against the flood of attacks hitting its bastions.Security metrics will also be largely non-existent under such circumstances.Does relying on human experts to understand your security information and to provide effective responseguidelines based on the gathered evidence constitutes a viable alternative to doing nothing? Specifically,two approaches to the problem are common in this scenario. First, a security professional can study theevidence AFTER the incident. Careful examination of evidence collected by various security devices willcertainly shed the light on the incident and will likely help to figure out what happened as well as drawlessons from it to prevent the recurrence. However, in case extensive damage is done to the organization, itis already too late and prevention of future incidents of the same kind will not return the stolen intellectualproperty or disappointed business partners. Expert response after-the-fact has a good chance to be “toolittle, too late” in the age of fast automated attack tools and worms. The second option is to review theaccumulated audit trail data periodically. A simple calculation is in order. A single border router will producehundreds of log messages per second on a busy network, and so will the firewall. Adding host messagesfrom even several servers will increase the flow to hundreds more per second. Now if one is to scale this toan average large company network infrastructure, the information flow will increase hundredfold. No humanexpert or a team will be able to review, let along analyze, the incoming flood of signals.But what if a security professional chooses to automate the task by writing a script or a program to alert himor her on the significant events? Such program may help with data collection (centralized syslog server or adatabase) and alerting (email, pager, voice mail). However, a series of important questions arises. Collecteddata will greatly help with an incident investigation, but what about the timeliness of the response?Separating meaningful events from mere chaff is not a trivial task, especially in a large multi-vendor environment. Moreover, even devices sold by a single vendor might have various event prioritizationschemes and protocols. Thus designing the right data reduction and analysis scheme that optimizes securitydecision process might require significant time and capital investment and still not reach the set goals due toa lack of the specific analysis expertise.In addition, alerting on raw event data (such as 'if you see a specific IDS signature, send an email') willquickly turn into the "boy that cried wolf" story with pagers screaming for attention and not getting it. In lightof the above problems with prioritization, simply alerting on "high-priority" events is not an effective solution.Indeed, IDS systems can be tuned to provide less alerts, but to effectively tune the system one needsaccess to the whole feedback provided by the security infrastructure and not just to raw IDS logs. For example, outside and inside firewall logs are very useful for tuning the IDS deployed in the DMZ.Overall, it appears that simply investing in more and more security devices does not create more security.One needs to keep in close touch with the deployed devices, and the only way to do it is by using special-
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...