In part one of this series, we discussed the challenges IT professionals face when building a security infrastructure....
It's often tempting to overindulge on the hottest tools, making the race to secure the enterprise into a buying binge, with the result that information security is seen as a money pit.
In the halcyon days of security, when fear, uncertainty and doubt, or FUD, was in short supply and IT budgets were smaller, people created their own tools or made do by customizing what they already had.
Many of the best open source programs were born from someone's need to solve a problem efficiently and inexpensively. Nmap, Wireshark and Snort all started out this way. A good Unix engineer could also work security magic with a perl script or even sed and awk. When did information security become obsessed with buying instead of building?
Many monitoring systems can do double-duty as a security tool
The business can derive better return on investment by using features of its existing tools for security functions. For example, monitoring systems provide excellent tools that provide real-time visibility into your infrastructure. Most organizations simply don't spend enough time configuring these tools to realize their value to information security. Any good enterprise monitoring system will send out alerts when a service is down, a resource threshold is exceeded or a response time is too slow. All of these are possible signs of malicious activity. Nagios and MRTG are great open source applications, but there are plenty of commercial tools that can do double duty as security monitors. And everyone always seems to forget about NetFlow. Why would you need an expensive, dedicated Internet security tool to tell you there's anomalous activity on the network when you could track and report traffic patterns with a NetFlow collector?
Domain name system has powerful tools
Additionally, the domain name system (DNS) offers some powerful capabilities to protect your enterprise. First, there is the DNS sinkhole, a technique used to decrease malicious activity on the network by adding nonroutable addresses to a recursive server to prevent access to unsavory domains. The Internet Systems Consortium has made this process even easier through Response Policy Zones, which are now baked into BIND. The integration allows users to more easily integrate reputation feeds into recursive DNS services, making management more seamless.You can significantly decrease malware in your environment by using this little-known tool. Query logging has always been a great incident response tool, a way to find out where your malware may be hiding, but if your DNS server doesn't have the real estate or the spare processing power for query logging, you could set up a passive DNS collector to identify attack trends and compromised hosts.
Configuration management tools yield other benefits
Then there are your configuration management tools. These applications aren't just useful for ensuring that people comply with your change management policy or for rolling back to a previous configuration. They also can inform your security team if an attacker is making changes in your environment. The only thing required is configuring and tweaking alerts after creating some baselines.
You also have some very beneficial features in most wireless management systems (WMSes). It often isn't necessary to spend money on a dedicated wireless intrusion-prevention or intrusion-detection system (IDS), because most organizations can get by with features already available in the base WMS. Any good enterprise WMS will detect rogues and can write to syslog or send an SNMP trap. You could send these to a log correlation system or generate email alerts for the security team.
Logs are always useful to an organization but, according to the SANS Institute, most organizations don't spend enough time with them. This is unfortunate, because they're a treasure trove of security data. But you don't always need expensive security information and event management; oftentimes you can get what you need by using a simple utility like Logcheck (or a Windows equivalent) to identify security violations. A few alerts to a vigilant sysadmin can be quite effective.
Finally, while most organizations have the budget for a firewall and an IDS, they can't always afford the hefty price tag that comes with a niche Internet security tool that's supposed to prevent the latest attack trend. There's a lot of competition for IT dollars within the enterprise. Management is demanding a better "bang for the buck" and is less willing to fork over money for the latest bit of "security cool." Maybe most of us would be better served by taking advantage of the features contained in products we already own. Not only would we get the same or even better functionality, we can avoid all the grandstanding.
10 top Linux security tips
Internal testing tools you need
What the military can teach you