Turn net intrusions into a better security response plan

Network intrusions, which continue despite the best efforts of security vendors, have given rise to a new generation of security event management (SEM) tools.

Such tools ideally would interpret data from numerous network security devices, isolate the most dangerous threats and execute the most urgent fixes. Even better, products would continuously probe the network for vulnerabilities and pre-emptively eliminate them.

None of the new SEM tools offer this security equivalent to a Holy Grail, at least not yet.

At a minimum, SEM tools must monitor networks for events in real time, pull event information into a central console, filter that data and clearly present it to the network or security administrator. Tools should also work with frontline security devices such as firewalls, antivirus software and intrusion-detection systems to block attacks.

And demands are expanding. Security managers, particularly in smaller organizations, don't have the resources to tackle all urgent problems at once. They need tools that can prioritize responses.

"The reality is that organizations generally know nothing about the importance of the resources that are being targeted," said Reed Harrison, chief technology officer and co-founder of e-Security Inc., one of the first SEM vendors. "So security incidents have to be matched to the criticality of those resources."

E-Security's software tags incidence data with confidence levels that prioritize actions to guard particular resources, in effect red-lighting incidents that need an immediate response, Harrison said.

This approach, which many SEM vendors pursue, is a step toward more sophisticated, real-time risk analysis and beyond passively monitoring a network and collecting and categorizing events, according to Hugh Njemanze, chief technology officer and senior vice president of research and development for ArcSight, a subsidiary of SVIC LLC. Last November, the company announced that it is receiving funding from In-Q-Tel, a venture capital group run by the CIA.

This spring, ArcSight added a feature called TruThreat Risk Correlation to its real-time event correlation engine to periodically scan security devices across a network. It registers attributes and vulnerabilities of each host or system listed on an asset table, measuring the precise risk level for each of the assets. Based on those measurements, a set of predetermined actions can be launched to minimize the damage caused by attacks.

Responsive actions can range from notifying someone of the attack to automatically reconfiguring or shutting down a system.

"It provides a context that intrusion-detection devices by themselves don't have by showing which elements in the infrastructure are most vulnerable," Njemanze said.

Sandia National Laboratories, which recently bought the ArcSight suite of tools, already has a mechanism in place that allows managers to take the security events logged by individual intrusion-detection systems or firewalls and send reports to systems administrators whose machines might be at risk, said Jeff Taylor, computer security engineer at Sandia.

"Our thinking with something like the ArcSight tools was that, if an unusual event was seen coming into Sandia, we could go back and reclaim the event and see what the hackers were actually trying to do," he said. "We could look to see what the last scan was on a particular machine to see if it had been compromised."

Once the tools are up and running, Taylor said, they could be configured to signal people on night or weekend shifts, who may not necessarily be security experts, about unusual events. The tools could then alert security managers to take a closer look.

However, the ArcSight tools will not automatically trip security fixes, he said. Systems administrators are responsible for their own machines, "and we don't have a hammer that comes down and tells them what to do, because we really don't understand their requirements."

Many of the tools do allow some form of an automated response. They might shut down a particular communications port, for example, if any suspicious activity is detected on that port.

"But we've found that most organizations are not ready yet to take that step," said Phil Hollows, vice president of product marketing for OpenService Inc.

His company's tools drill down into the correlated data of an attack, determine the type of attack and then link to industry databases that contain information about such attacks and corresponding countermeasures. That information is automatically forwarded to the organization's security manager.

Network Intelligence Corp. follows the same process.

"About two years ago, we thought we would be getting into a more proactive response" with our tools, said Matt Stevens, vice president of marketing and technology for Network Intelligence. "But customers made it clear there was no way they would want that kind of automatic response."

Instead, the company's tools automatically link threat alerts or incidents on the network to public security databases and extract the relevant information for security managers.

In a way, said Niten Ved, chief operating officer and co-founder of netForensics Inc., event management is something of a misnomer for what users are actually demanding of these security tools.

"From a product perspective, they are actually looking for an incident- handling system," he said. "Event management systems are similar to trouble ticketing systems, and from a security perspective these require a tremendous amount of customization. Now they want systems that are much more focused on actually handling security.

"This is a whole new area of expertise that our customers are asking of us," Ved added.

Other industry experts share that view, including Richard Caliari, director of product strategy for Harris Corp., a major solutions provider to government agencies.

"Up to now, the idea has been to provide tools to allow security managers to get a better idea of what's happening," he said. "Now they want those tools to help them configure systems so they will not be as vulnerable to attack, to pre-emptively close out vulnerabilities."

Robinson is a freelance journalist based in Portland, Ore. He can be reached at hullite@mindspring.com.

About the Author

Brian Robinson is a freelance writer based in Portland, Ore.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group