ZIFFPAGE TITLEStep NoBy John Moore | Posted 2006-05-15 Email Print
New threats to your computer infrastructure emerge every day. Baseline's Security Survival Guide provides tips and techniques to help you safeguard your organization.. 2: Track Down the Source">
Step No. 2: Track Down the Source
The security group's first question is obvious: Where is the problem? But finding the answer requires ingenuity. There's no single surefire method for finding a security breach and nailing down its scope.
"That task is still more art than science," says Mark Zajicek, technical staff member with the CERT Coordination Center, which studies Internet security vulnerabilities and offers security training. "It's very ad hoc."
Leverage Event Data
Event logs generated by firewalls and early warning intrusion-detection/prevention systems give security analysts one route of inquiry. Demand for tools that help correlate the mass of security data held by the various systems is growing, Zajicek says.
Security experts advise looking at security information and event management software, which helps security managers detect incidents, for clues that may help identify the source of the attack as well.
Security information and event management software rolls up alerts from firewalls and intrusion-detection/protection systems, along with event data from antivirus products, databases, Web servers and elsewhere. It offers two tracks to get to the source. One is its visualization portion, which looks like a large, continuously scrolling spreadsheet and provides some amount of detail on a network attack, detected virus or other event, including the Internet Protocol address of the affected equipment and device name.
The initial information gives a basic sketch of the problem and where it may exist. Every device connected to a network is identified by an Internet Protocol address, for example, which can guide security personnel to the general areas requiring investigation, says David Lawson, director of global services, risk management and compliance at Acumen Solutions, a business and technology consulting firm.
However, there are limitations to this line of inquiry; one is a lack of context. "What does the IP address mean?" asks David Giambruno, director of engineering and security at Pitney Bowes. "Where is it and who is using it?"
The other limitation, Lawson notes, is that an attack may spoof the IP address.
Security analysts thus have to dig deeper into the second source, the event logs, which contain more finely grained detail. They'll be looking for Media Access Control addresses, which identify network nodes, to see if a given IP address is correct and valid, Lawson explains. The logs also will provide details on how an attack progressed through a network. By examining the firewalls and routers and operating systems, analysts can piece together how many Media Access Control addresses, Internet Protocol addresses and routers were targeted in a given incident, Lawson says.
Security personnel, Lawson says, "need information beyond the alert itself." A good security information and event management system will archive logs from different security devices, routers and operating systems.
To put alerts in context, Pitney Bowes mapped out a "foundation layer" of its information assets. The company keeps tabs on each I.T. device: what it is, what it does, who uses it, and how it is used. The particulars for a single monitored asset break down into a multitude of attributes-900 for each device, according to security director Giambruno-enumerated in a white paper provided by Pitney Bowes, including operating system, applications, services, accounts and users. Overall, the company's I.T. holdings possess 50 million attributes that generate operational and security data to the tune of 120 million correlations each day.
"I can't handle the scale of [that] data and put it together," Giambruno acknowledges, so Pitney Bowes has outsourced the enormous task to Intuitive Labs, maker of the Operational Excellence security tool, noting that his company is Intuitive Labs' first customer.
The data "all rolls up into a massive correlation and inference engine," Giambruno says, which pulls in reports from all of Pitney Bowes' instrumentation systems, including security, networks, servers, desktops and directories, configuration management and applications, among others.
Pitney Bowes receives security status information from Intuitive Labs via a Web portal that displays the company's security situation in graphical form, with devices color-coded by vulnerability. If a critical patch for Oracle databases is announced, say, the company's Oracle server will appear in red.
"Our entire world is red, yellow, green," Giambruno says.
The security setup Giambruno describes doesn't come easily. Curry, the vice president of eTrust threat management solutions at CA, says customers' security information and event management deployments generally occur in phases, starting with a pilot project involving perhaps 100 to 200 sources of security events. Those sources may include intrusion-detection/prevention sensors and firewalls. In the next step, an organization expands the system to additional sources of data or parts of the enterprise. The initial pilot, Curry says, typically focuses on networks and systems the customer deems critical.
A security information and event management system's data gives the security team direction; after that, they must still physically find the affected system.
A configuration management database, which holds information about the components of an organization's information-technology infrastructure, can help. By identifying components and their status, the database helps security managers zero in on the source of trouble, though that doesn't mean all devices are easy to find; a laptop plugged into the corporate network by a temporary worker or other visitor will be elusive.
For all the automated sleuthing, a certain percentage of devices will be discovered only by "some guy crawling through offices, plugging and unplugging things," Lawson says.
The security group's charter typically doesn't cover such low-tech snooping. Axel Tillmann, vice president of security vendor Enira Technologies, says most customers he visits assign network engineers to do the poking around, a time-consuming process with critical business implications. He cites a case where an automobile manufacturer detected a security incident but "couldn't find it quick enough." The company had to shut down production long enough to affect the assembly of 300 cars.
Enira sells "dynamic quarantining" technology, which integrates with security information and event management systems, and automates incident response. Its Network Response Module quarantines affected network nodes. According to Enira, the product determines the location of the device-down to the specific port on a switch-and dynamically reconfigures the appropriate devices to disable the node's network access. The response can also be initiated manually, through a Web browser graphical user interface.
Chad Dougherty, technical staff member at the CERT Coordination Center, said dynamic quarantining may be more useful in some cases than others. It works when the malicious code has a well-understood impact, he says, but adds that a fully automated response may not be the best approach for dealing with targeted, stealthy attacks, such as the infiltration of a server from which further attacks are launched. "Organizations may not want to deploy [dynamic quarantines] in situations where they absolutely want to be sure what happened," he says.
As with detecting an attack, human intelligence must support automated systems in determining the scope and severity of an attack. Security managers say they seek out the affected asset's owner.
"We find out who it is and ask a few questions," says Gatewood, the University of Georgia's chief information security officer. Security personnel will query the systems administrator about the type of applications running on the affected machine and the sensitivity of the data, he adds.
"We then can make a decision ... to stop there and do a clean or a reload, or take it to the next level," Gatewood says.
Determining the appropriate response means taking the attack's venom into account. Besides wanting to know how many systems are affected and where, security personnel also seek to determine "the insidiousness of the attack," Lawson says. "Is it a random exploit ... or a botnet propagating through the network and reporting information back to somebody or some organization through an IRC [Internet Relay Chat] channel? Something like that is much more impactful."
An Internet Relay Chat channel permits the real-time exchange of text messages among users. It also provides the means to control botnets-a group of computers that hackers control remotely and use to transmit spam or viruses-and send captured information back out of a compromised network.
Assessing Vulnerabilities in Advance
While corporate security groups chase down incursions when they happen, they've tried to become more proactive, looking for and fixing weak spots before attacks occur with the help of vulnerability management tools. Like intrusion-detection sensors and firewalls, these tools may feed into security information and event management systems and configuration engines.
Many organizations scan for vulnerabilities on a regular basis, allowing security personnel to determine which systems are vulnerable to attack and patch accordingly.
At Pitney Bowes, Giambruno says, "we scan everything [for vulnerabilities] all the time" with products from McAfee's Foundstone division (general vulnerability management), Lumeta (networks) and AppDetective (applications). The scanners feed into Intuitive Labs' correlation engine, which flags configurations that could invite trouble or devices in need of a patch.
In general, vulnerability scanners may also identify trouble spots such as weak passwords and missing patches.
Eric Hanson, manager of I.T. security at Quad/Graphics, says his company uses Pedestal Software's SecurityExpressions vulnerability and compliance management product to pinpoint areas requiring remediation "to understand our environment and gauge how we are doing." His group also monitors newsgroups and the SANS Institute, among other sources, to keep abreast of news about vulnerabilities.
Lawson says organizations also run vulnerability scans as an attack unfolds: "As you are starting to see a certain kind of attack, you can plug into a vulnerability management system, see what the potential impact could be and head it off."