|
Ripped from the headlines:
- A new SARS virus outbreak in Central China requires that travelers from overseas are quarantined when returning home to prevent further spreading of the virus in their home countries.
- The virus thought to cause SARS is constantly changing form, say scientists, presenting a significant challenge in developing an effective vaccine.
Why are we talking about biological infections here in the context of computer security? It’s simple; technology-based threats to information and networks are imitating nature in more ways than just sharing the moniker of “viruses.” A close look at how we cope in the event of biological attacks may provide some lessons into how we might better manage the increasing rate and effectiveness of network security breaches.
There are two lessons that network and security administrators can take from the above anecdotes about dealing with life-threatening viruses:
1. Isolation of the individual is an effective way to take a potential carrier out of action until a clean bill of health is issued.
2. Prevention in the form of a vaccine is often stymied by the constant mutation of the virus.
As in nature, a case can in fact be made that in today’s corporate network environments, 100 percent prevention is no longer truly possible due to the frequency, sophistication and complexity of worms, viruses and other forms of attacks on computers and system infrastructure. Simply shutting off entire sections of the network is not effective either in today’s demand-driven, 24/7 operations.
The imperative in network protection reflects the strategy for dealing with travelers returning from Asia: one person (desktop, laptop or server) is isolated at a time to allow the operation to continue at maximum capacity.
The challenge in achieving this level of granularity for quarantining or isolating in today’s network operations comes down to one simple concept – complexity. Manual response, which is the common approach today even in enterprises with thousands of nodes, is just not up to the task, especially in light of the speed at which attacks propagate. What’s needed now is a more robust, intelligent approach that reflects the convergence between network and security and captures the best practices of each discipline – automatically – to drive fast, focused and fully auditable response.
The State of Denial
Mankind suffers from false pride when it comes to technology. Since we’ve built it, we believe we are invincible; hence, the belief that prevention will keep us safe. This is fostered by an onslaught of marketing messages ignoring technical reality.
Today, security operations are focused much more on prevention and detection; it’s impossible to deny that this emphasis has its merits. The recently released 2005 CSI/FBI study looked at the impact of security breaches in more than 600 companies and found a 61 percent reduction in follow-on costs to clean up comprises, because most corporations have prevention and detection technology deployed.
This is all well and good, when the attacks come from a known virus; we’ve already established that software vendors are quick to respond once a virus hits, with a patch that can protect the network from further exposure … to the same virus.
Earlier in the year, the SANS Institute reported that more than 600 new Internet security holes surfaced in the first quarter of 2005; 20 were deemed dangerous because they remain unfixed on a large number of Internet-connected computers, even though software developers quickly made patches available.
The same report cited evidence of computer criminals’ intent to design and execute attacks specifically to bypass or eliminate existing detection technology. The prediction manifested itself in late May in the form of TR/Dldr.Bagle.BR, one worm that targeted an almost endless list of security services and disabled them.
Intervention Is the Key
What’s not being addressed in a meaningful way today is response. As Gartner Research pointed out in a recent report, prevention and detection will only pay off when response is in place.
Enterprises need to design and execute response strategies that are:
1. Immediate -- viruses propagate at 8.5 sec.
2. Concise -- proper action in respect to outbreak location.
3. Repeatable -- procedures need to be defined despite the complexity of the network environment.
4. Vendor agnostic -- it should not matter which infrastructure equipment needs to be addressed.
5. Protective of important services -- such as DNS, DHCP server
6. Documented -- Sarbanes Oxley and other federal regulations demand that all actions taken must be auditable, and this is true under attack as well as normal operation.
7. Capable of quarantining anywhere in the network -- whether wired, wireless, VPN, internal or external, this must be done to the closest point of network entry as possible to prevent any further spreading of the problem.
Meeting the complexity and intensity of securing networks in the case of a breach is often left to a band of hearty heroes whose resources are stretched to the limit. Consider this scenario:
At 3 a.m., a network security team awakens the network engineer, who has to engage in lengthy procedures to identify the precise location of each individual infliction point. He then has to decide what action to take and implement this action and hopefully not transpose a couple of digits and shut down the wrong station or valuable services. In this state, it’s not likely that he’s prepared to document everything that’s been done.
The next day, when the damage of the station is repaired, he has to engage in the same procedures to re-identify the station’s location in order to reverse the action from the night before. Two weeks later, everything is forgotten, just as the corporate office needs to produce a quarterly report and document the actions taken.
Mitigating the Human Factor
These shortcomings are nobody’s fault; they are the nature of the beast. In this case, the beast is complex network architectures. The only way out of the dilemma is to use technology. An enterprise-strong tool needs to be deployed that automates all of the activity through either manual input or full integration with all available security sensor technology that is already deployed.
Why? Because without technology, the manual “quarantine” procedures are far too slow to tame this high-tech beast. If viruses propagate every 8.5 seconds, after just 1.5 minutes, potentially 1,024 stations could be infected. And how does this fare against the typical manual response times? From detection to the first reaction of the networking group, response times range from 15 minutes to hours, depending on the environment. In just 15 minutes, 112 cycles could be in place, and 5.2 with 33 zeros -- a number too big to imagine. While there are mitigating factors, such as turned off machines, slower propagation or sheer luck, the typical impact is hundreds of machines.
What’s needed is an Incident Response System that isolates an infected system in milliseconds, quarantines any number of stations in less than a second, and is no longer dependent on human reaction time and response decisions.
The effect of such a system goes beyond the immediate response capabilities. The convergence of separate security and network operations is the key concept here. Any enterprise solution needs to bridge between departments -- not separate them further. Since the “how” is fully automated through network robotics technology, the “who” should be a question of proper procedure and no longer a question of certification courses or departments. Of course, it requires granular user account settings to set the proper authority levels; otherwise, the power of such a system could easily be misused.
Given that the right technology is in place, quarantining today can be effective and immediate, as well as fully automated and integrated with all the sensor technologies (IDS, IPS, SIMS, etc). This is a level of response that is repeatable, reliable and audit-able. Deployment of this technology makes computer network quarantine as effective as a real-life quarantine, effectively stopping any “infection” before it can do more harm.
About the Author:
Axel Tillmann is vice president of ENIRA Technologies (www.enira.com), a provider of intelligent network solutions. He can be reached at (888) 277-7638.
Go Back
|
