Centralized Security Management Provides Foundation for Effective Intrusion Prevention
By Hugh S. Njemanze, CISSP
n the last year, intrusion prevention has supplanted intrusion detection as a best practice in security. This evolution can be seen in the development of intrusion detection systems (IDSs), which are deployed in IP networks to examine packet streams in real time to determine whether a potentially damaging attack is occurring. The role of an IDS is to generate an alarm or alert when it determines that an attack is underway. The evolution of IDSs to intrusion prevention devices follows the logic that once an attack is detected, the resulting damage can be reduced or eliminated by blocking, or somehow preventing, the packets from reaching their intended target. The problem with these devices as intrusion detectors is that while they do in fact identify potentially harmful events, the number of false positives (nonthreatening events identified as threatening) is exceedingly high, taking up bandwidth and hiding true attacks.1 The percentage of false positives can be reduced by careful monitoring and tuning for a specific environment, but there still will be a residue of misidentified events. Consequently, unless the false positive problem is remedied, an IDS’s efforts at intrusion prevention will be fraught with the likelihood that the automated responses will have unintended negative outcomes. To reduce the chances of negative consequences, a mechanism is needed to provide the same information and decision structure at the device level that a security analyst uses to develop and take a particular action.
valuable enough to the organization to warrant attention ahead of other assets that may be under attack? Does the target even exist? Based on the answers to these questions, the analyst can build a plan of action. While new types of IDS devices are attempting to bring in more context, such as target information, there is no way that a single device on the network (especially one at the perimeter) can provide answers to all these questions to determine the appropriate response. It simply does not have a wide enough purview over collateral activity (such as what is happening at the firewall), policies and asset status to provide an integrated picture of the threat and resulting risk. Consequently, if an analyst must look beyond the detection device for the context of the event before taking action, anything done automatically in the name of prevention at the device level will be highly prone to error. Error in this case is defined as inadvertently blocking legitimate traffic, turning the security system into a highly efficient engine for denial of service.
Providing Automated Context Via Centralized Security Risk Management
Many organizations have recognized the need to automatically provide the context necessary to detect and respond to legitimate threats and attacks in the wake of the millions of alarms, alerts and messages that emanate from the firewalls, IDSs and hosts connected on their networks. Without some means to collect, aggregate, analyze and display the security status of the entire infrastructure, security analysts are overwhelmed by the sheer volume of raw data hiding the critical information necessary to identify and deal with an attack or exploit. Security risk management systems consist of software that collects security-relevant information from the IT infrastructure, stores it in a database, and then provides a range of analysis, display, response and reporting tools for the security organization. A typical security risk management architecture is shown in figure 1. The collection is performed by small programs, called agents, that parse the raw messages, format them in a common schema and send them to the next layer of the system for analysis, display and storage. The manager performs all the storage and display management and does all the real-time correlation to identify true threats and attacks. For display, there typically is a choice between a workstationbased console and a browser interface. This architecture provides leverage because it moves the analyst from watching multiple consoles, examining multiple databases and consulting multiple logs, to utilizing a single
The Context of an Attack
The reason packet-oriented detection systems produce so many false positives is that they lack sufficient context to accurately determine the potential threat. The context for the threat score consists not only of the exploit or attack embodied in the packets streaming through, but also a three-dimensional set of factors that an experienced security analyst would consult to determine how serious the situation is and what actions to take. They are: • Other relevant events occurring • The vulnerability of the target • The value of the target to the organization As an example, consider a situation in which an IDS has detected a buffer overflow attack. Given the potential damage that a buffer overflow exploit can cause, the alert level raised by the IDS is very high. When the security analyst becomes aware of that high-priority alert, there is a host of questions that need to be answered before an action can be taken. Did the attack make it to the intended target? Is the host system patched to reduce its vulnerability to the attack? Is the host
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 4, 2003
database, a single display and a coordinated and common set of tools. The major features to look for include: • 100 percent capture and normalization of the alarms, alerts and messages that come from the security devices • Flexible deployment so network topologies and policies do not have to be changed to accommodate the system • Use of enterprise class databases, such as Oracle or DB2 to store the event data • Highly configurable graphical displays to cue the security analyst visually when a high-severity event is occurring • Real-time risk correlation analysis that examines the event context and scores the threat severity accordingly • A full range of incident response and reporting tools to act on the true threats and attacks Security risk management software automates and elevates the best practices of the security organization by providing the consolidated information, analysis and response tools required to detect and mitigate the effects of attacks. However, there still may be instances in which manual forensic collection procedures will remain employed for evidentiary purposes. Even in this case, the centralized catalog of all the relevant data in the security management system makes the evidence collection much more efficient.
Here is how risk correlation provides context: • What else is occurring? Since the correlation system can see events from not only IDSs, but also firewalls, host logs, encryption systems and VPN connections, an exploit that is handled properly (e.g., blocked at the firewall) can be downgraded in severity. Conversely, a threatening buffer overflow that has traversed the firewall, and caused the target system to back out to the source of the attack, will be flagged as a double-red alert. • Is the asset vulnerable? Many organizations utilize vulnerability scanners to proactively search their networks and report back on the patch level, available services and open ports that they find. In addition, these test programs will report specific vulnerabilities to known exploits. Sophisticated risk correlation systems will capture this information in an asset table. As a result, when potential exploits are detected in real time, an immediate reference to the asset table will indicate whether the target is vulnerable to that attack. The threat score is adjusted accordingly. • How valuable is the asset? The asset table houses organization-specific information about the value of the asset that is utilized by the correlation function. Asset value comprehends the role of the target, what kind of data it manages and what applications are running on it. Mission-critical assets as targets will drive the threat score higher than if the target is in the DMZ. When presented with an already correlated view of threat activity, vulnerability status and asset value, a security analyst can decide, with confidence, on the correct response and prioritize actions so the overall level of risk to the organization is minimized. Automated real-time risk correlation that uses asset data as its focus can sort through the millions of events that flow through the network each day, and precisely identify the most important threats and attacks.
Realizing Reliable Intrusion Prevention
Once real-time risk correlation provides comprehensive and accurate threat detection, reliable intrusion prevention can be implemented in partnership with the security devices in the network infrastructure. A key feature of the correlation function is the ability to take automated actions as a result of reaching certain conditions or threat levels. These actions can range from sending out a page or e-mail notifying a key staff member of a problem, to executing a script to reconfigure a system, block traffic or update signatures. In fact, if an organization is utilizing something like a honeypot (a system designed to masquerade as a legitimate target under close supervision of the security staff), there even may be instances where potentially threatening actions are allowed to progress. Because the decisions to take these automated actions benefit from the context provided by complete oversight of the security “battlefield,” along with continuously updated asset information, there is a higher likelihood of consistently and accurately intervening only with threatening traffic. This further leverages the security resources and reduces the overall risk profile of the organization.
Asset-focused Real-time Risk Correlation Leads to Intrusion Prevention
The point was made earlier that the fundamental problem with automatic intrusion prevention within a single device is that critical information and context are missing. With centralized security risk management, that problem is solved. A key capability provided by enterprise-class security risk management solutions is real-time risk correlation. Correlation is a powerful function that, if implemented correctly, can leverage the three-dimensional context for threat scoring that is outlined above. A comprehensive real-time risk correlation system leverages the fact that 100 percent of all the alarms and alerts that an organization is capturing are available for analysis and measurement, which then can be combined with critical asset information to determine the highest priority threats and actions.
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 4, 2003
Newman, David; Joel Snyder; Rodney Thayer; “Crying Wolf: False Alarms Hide Attacks,” Network Computing Magazine, 24 June 2002.
Hugh S. Njemanze, CISSP is the founder of ArcSight and leads its product development, IT deployment and product research. Njemanze brings valuable enterprise software knowledge from his 18 years of relevant experience. Recently, he worked as the CTO of Verity, where he led product development. Previously, Njemanze worked at Apple in software engineering where he was one of the key architects behind the Apple Data Access Language (DAL). He was the coarchitect of CL/1 (Connectivity Language One) at Network Innovations, which was acquired by Apple in 1988. Prior to that, Njemanze codeveloped several language compiler products at Hewlett-Packard.