There is a fundamental issue in the way that enterprises defend their networks, and it stems from how they assess their security posture. It also explains how organizations pass network penetration testing and yet still get hacked.
Bolstering enterprise security
13 steps to protecting assets
Intrusion detection and protection
Protection against APT
In reality, neither approach does much to actually improve network security. The cycle usually plays out like this: An organization hires a security company to perform a broad-spectrum penetration test on its network. Inevitably, the security consultant issues a report that outlines a full slate of vulnerabilities and describes the dire consequences that will result unless urgent action is taken.
Shocked from procrastination, the organization throws money at the problem and hastily deploys a signature-based IDS to mop up the identified vulnerabilities. The test is repeated and, lo and behold, the shiny new IDS lights up like a Christmas tree. Cue back-slapping and satisfaction of a job well done. Except that it isn't. A month later someone notices that a critical server is leaking data like a sieve. At best, the IDS noticed and generated an alert (along with a thousand other things). At worst, the credit card processor realizes that your Web store is the common factor in a spike in credit fraud and cuts you off.
Automated network penetration testing isn't doing the job
Real-world hacks often have a much defter touch than the "scorched earth" approach of automated testing. For the most part, attackers are not concerned with Internet Information Server vulnerabilities patched in 2009 -- the same ones with which today's automated test tools seem to be obsessed.
We are in the position where the symptoms and cure validate each other, and yet the patient is still sick; Web servers still get hacked. It is clear that a new approach is required. Enterprises need to look to tools and technologies that defend against the techniques hackers use rather than rely on the individual vulnerability or the artificial circumstances an automated penetration test identifies.
A variety of vendors, among them Check Point Technologies Ltd., FireEye Inc. and Juniper Networks, have brought products to market that defend against more sophisticated and blended attacks (sometimes referred to as advanced persistent threats, or APT). These tools seek to augment more traditional security controls with intelligence- and reputation-based assessments of whether traffic is "good" or "bad." However, unless these approaches are underpinned with reliable incident management, these technologies will simply become the next most expensive and ignored devices on the network, and history will repeat itself.
About the author
Glen Kemp is an enterprise solutions architect for a UK-based managed services provider. He designs and deploys network and application security tools, including access control, remote access, firewalls and other "keep the bad guys out" technologies. He is an experienced professional services consultant; delivering elephants and not hunting unicorns. His blogs can be found at sslboy.net and at the Packet Pushers Podcast. Follow him on Twitter @ssl_boy.