Automated security response: Friend or Frankenstein?

Empowering devices on the network to make decisions and take actions without human intervention may be scary, but it could help limit your security nightmares.

Whether it's intrusion prevention, active response or automated remediation, the concept is the same. You're empowering a device on the network to make decisions and take actions without human intervention. Many of you might shudder at the thought, while others have taken the leap and deployed these technologies. There are certainly legitimate concerns, but the appeal is also undeniable. How many businesses can afford fully staffed security operation centers, providing 24x7 coverage?

The concept of performing an automated task based on a specified set of conditions has been present in expert systems for decades. It seems only natural that this technology be employed in network security where response times are critical and downtime so costly. In fact, some elements of automated remediation are now so common that they're easy to overlook. Would any of us buy antivirus software that simply said, "You're infected"? We rely on the intelligence of these products to detect threats and take proactive steps to ensure the integrity of the system.

Michael Maloof

When you consider automated remediation products, the first thing that comes to mind is intrusion prevention. Whether you're evaluating perimeter protection devices or host-based software, the core concepts are the same. To be effective, the product must have access to data, the intelligence to analyze the data and the ability to act when malicious activity is detected. Most network-based intrusion prevention systems (IPS) are in-line devices, so they have unique performance requirements that must be matched to the organization. Similarly, host-based intrusion prevention systems must balance their analysis functions with their impact on the underlying operating system and core applications. Both can be extremely effective, and both are seeing growing market acceptance.

What's not commonly considered when evaluating intrusion prevention or automated remediation products is the implementation of a security information management (SIM) system. Traditionally, these products are passive information analysis and forensic systems, but that role is changing. You will find that vendors are evaluating strategic moves into the automated remediation or active response arena.

Block and tackle
Today's network-based intrusion prevention systems (IDS) do one thing very, very well -- they block traffic. As in-line devices, with sophisticated deep packet analysis and packet assembly technology, they're in the perfect position to kill malicious traffic. Unfortunately, like most point solutions, including their IDS predecessors, their view of the network is limited to the traffic they can see. In large networks, their scope is enhanced by the deployment of multiple devices, but this doesn't address the fundamental problem, which is simply that the packets don't tell the whole story.

When you consider the first two components of intrusion prevention, namely data access and analysis, it's easy to see that most SIM products possess these same attributes. A typical SIM will have access to a tremendous volume of network device data, and some gather host data as well. It's the SIM product's unique perspective of network activity that can provide functionality not found on either network or host-based intrusion prevention systems.

A SIM can monitor data from firewalls, routers, switches, servers, workstations, IDS and even the IPS products themselves, and has the potential to spot patterns of behavior that could easily be missed by the IPS. For example, the IPS isn't going to spot log-on attempts to administrative accounts or monitor the service process exit of your antivirus software and correlate the source IP with rejected SMTP traffic from the firewall. Yet, that pattern is classic worm behavior, and an appropriate response may be to quarantine the source workstation.

The role of intrusion prevention or automated remediation has been typecast as the bouncer that thwarts the bad guy by blocking his access to the network. That role is important, but we need more. With SIM-based remediation technology, you'll soon see responses that ease the everyday burdens of network and security management. Can you imagine a system that automatically responds to the Monday morning account lockout of the guy in sales that can never remember his password? Sure, the system could send you another e-mail, but what if the system could correlate the account, the workstation, the department, the time of day, and then automatically unlock the account -- once, but not twice.

Joel Snyder, senior partner of Opus One Labs, in a recent webcast, suggested that SIM products should be able to detect a configuration change to a firewall or router, and that would trigger a backup of the new configuration. If it's 3:00 AM, you might want to trigger a restore, but either way that's an active response that automatically interacts with the system to make your life easier as well as defend the network. The goal is to look beyond simply blocking traffic, and look for policy enforcement, network management, and network defense activities that can be automated with this emerging technology.

Active network defense strategy
While SIM products have access to the data, and some have the intelligence to analyze it, few were designed to actually do anything about the activity being observed. That has changed, and these products can now be seriously considered as both analytical and network defense tools.

There are three factors to evaluate when considering a SIM product as an automated remediation technology:

  • What network products and platforms does the SIM support, and can they be incorporated into the response?
  • How comprehensive is the SIM's event correlation, and does it include example rules?
  • Is the correlation and policy management processed in memory, or does it require database analysis?

The first item maps directly to your environment. Does the SIM product support the network devices you own, and will it integrate with your server and workstation platforms? What's not as obvious is the need to understand how the product will implement the responses. You also need a level of correlation that empowers you to act. You'll need the ability to merge the knowledge built into the system with your own expertise and your specific environment.

For those of you on the IT frontlines, faced with the realities of budget constraints and stretched resources, you're challenged to make the best decisions you can for your organization. Do you add IPS or SIM? Intrusion prevention products can play a significant role in network defense, and there's every indication that automated remediation in many forms is a significant industry trend. If faced with making a choice, consider that the right SIM can actually help you identify and justify the need for additional security measures.

The problem today is that with so many individual products, or point solutions, it's difficult to see what's really happening on your network. These products are all important elements of a solid defense-in-depth strategy, but they're also silos of information with no way to communicate with each other and no hope of coordinating their actions. SIM can provide the clarity to really see what's happening in your network. Armed with real information and analysis, you'll know where to focus your attention, how to maximize the tools you already own, and be able to justify additional expenditures to close any gaps.

Creating a monster?
The decision to deploy any form of automated remediation can be intimidating. There's no end to the scenarios one can imagine, or will read, where an automated system turns on its creator and wreaks havoc on the system. The fear is understandable, but with a little research you'll soon discover that reasonable safeguards are available. Basically, these are extensions to the rules and policies that prevent actions from impacting critical assets, restrict activity based on time of day or function only with corroborating evidence generated from multiple rules.

If the SIM provides a highly granular event taxonomy, the ability to build and test sophisticated correlation rules and provides safeguards configured for your environment, you'll have the information you need and the confidence to automate the responses.

We'd all like to buy the one product that helps us sleep at night, but experience suggests that the light at the end of the tunnel is usually a train. The reality is that with tens of thousands of compromised systems used to launch probes and attacks, apparently endless vulnerabilities, increasing network complexity and business demands, you're doing well to get any sleep at all.

In a perfect world, all of your systems would be patched, there would be no such thing as a zero-day attack, worms wouldn't traverse the internet in a matter of minutes, and you'd actually get to take vacations. In the real world, you face a highly automated enemy that will stop at nothing to exploit any weakness, so whether it's IPS, SIM or some combination of the two, automated remediation is a technology that warrants serious consideration.

About the author:
Michael Maloof is chief technology officer for TriGeo Network Security where he leads a team of engineers and researchers working on the leading edge of automated remediation technology. As a serial entrepreneur, TriGeo is Michael's fourth venture in a career that spans twenty five years of technology research, design and development.

This was last published in March 2005

Dig Deeper on Network Security Best Practices and Products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.