5 Steps to Enterprise Security - Step 3: Detection

Human touch turns log files into leads that block attacks on IT.

Detecting network attacks is as much an art as a science, and thats not likely to change any time soon.

There is no lack of systems for detecting security breaches—IT managers can avail themselves of software tools, services and appliances ranging from firewalls to IDSes (intrusion detection systems) to log analysis programs to managed service providers. Thats the science. Mastering the art of detecting the actions of a motivated, inventive attacker takes human detectives who are just as ingenious and relentless as their opponents.

Question Authority (And Everyone Else)

As weve stated throughout this Special Series on the IT security cycle, technology is only part of the solution to managing risk and exposure. Critical to effective attack and vulnerability detection is persistent curiosity.

Ask questions. Act like a 2-year-old: Why is this service running? Whos using the e-mail system at 3 a.m.? Whats causing this spike in network traffic? Unless IT managers ask questions such as these and exact truthful answers, many network attacks will go undetected until it is too late.

With this in mind, the best place to plot a detection plan is a quiet conference room with a big whiteboard and every IT manager in attendance.

Make a rough map that shows the entire network. List every outside supplier, partner and customer in the margin. By the end of this exercise, you should know—intimately—how, where and when each of these networks connect and is secured. In other words, know the boundaries—and the strengths and weaknesses of the boundaries—between your organizations data and that of the outside world.

Once youve mapped the network, use additional pages to drill down into the resources contained in each net segment. This task may seem hopelessly complex, but detecting attacks requires finely detailed knowledge of the IT resources in an organization. This exhaustive knowledge is one of the few advantages you have over an outside attacker. And full knowledge of the network and comprehensive monitoring tools are the only hope against a determined inside job.

Its important also to look at your network map through a crackers eyes. Be creative: Re-create the plot of a high-stakes thriller novel and imagine the things that could be done with the organizations data.Want to spend a lot of someone elses money? Need a new identity based on intimate personal data? Perhaps someone would like to glance at the product development plans for the next two quarters? Or maybe someone is interested in the companys top sales prospects?

Now, how would you get at that data?

There are myriad resources to help guide IT managers detection efforts. Books, including "Secrets & Lies" by Bruce Schneier (John Wiley & Sons Inc.), and online sources, such as www.cve.mitre.org (the Common Vulnerabilities and Exposures site), provide examples that should get the creative juices flowing in terms of how to track down crackers.

However, in the case of detection, a good defense may start not with a good offense but by returning to the simple life.

In fact, one good long-term goal is to simplify wherever and whenever possible. A simplified IT infrastructure not only reduces the number of possible vulnerabilities but is also easier to maintain overall.

This is especially important given the following truism: IT administrators must look for vulnerabilities throughout the organization, but a cracker has to find only one weak link in the chain. (For some advice on cutting the IT fat, see Part 2 of the security series at www.eweek.com/links.)

Knowing What Is Normal

To detect attacks on it resources, IT managers must know what normal, permitted behavior looks like.

This is easier said than done. It takes time to review the voluminous statistics that document regular IT operations. Clearly, this task is bigger than one person. IT managers must gather on a regular basis to discuss what they are seeing from a security standpoint.

Examine network protocol analyzer captures and log files from applications and servers. Protocol analyzers, such as Network Instruments LLCs Expert Observer, are good at sniffing traffic captures on individual segments, and log files captured by tools such as Patrol from BMC Software Inc. are a great (if somewhat repetitive) way to track what "normal" behavior looks like.

There is little that differentiates one packet sniffer from another; they are all useful in tracking down potential security problems on the network.

Network Associates Inc.s Sniffer Pro and WildPackets Inc.s EtherPeek are serviceable software-only tools that are effective at capturing and analyzing network traffic.

Hardware probes, along with software from companies including Finisar Systems (formerly Shomiti Systems Inc.) are useful but much more expensive to deploy in areas where long-term monitoring of high-volume nets is required.

NetIQ Corp.s WebTrends and Telemate.net Software Inc.s NetSpective rely on log data to track user activity and are good additions to an application managers detection tool kit. Using tools such as these makes quick work of learning what is normal behavior and often equally quick work of highlighting potential problems.

Log files and performance reports can also reveal important clues—forensic data—about attacks. Capturing and studying data about IT usage is the best way to determine if an attack has been perpetrated and the extent of the damage.

Checking logs and other performance data needs to be at least a daily occurrence, according to security experts and evidenced by eWeek Labs testing. Even looking over a small section of an activity report can provide clues that a probe is in progress, thereby alerting IT managers to take further action to detect the source of the attack. Because threats can change moment by moment, expect to make adjustments to data capture parameters frequently.

Tools of the Trade

In addition to network sniffers and log analysis products, a variety of tools and services are available that will help protect IT assets while also making them available to those who need them.

IDSes such as the StealthWatch appliance from Lancope Inc. can be programmed to look for a limited range of anomalous behavior to identify attacks. (See review at www.eweek.com/links.) However, IT managers must consider that IDSes can have negative effects and can be used just as easily by crackers to cause harm.

The intent of many of these tools is to probe for weaknesses, and in the process, they can block access to needed ports on a Web server or can cause applications to break. It almost goes without saying that these tools should not be used on a production network during business hours.

An even better solution is to set up a lab that mimics your organizations IT environment. There, you can practice using the IDS tool and fine-tune the system so that it sends as few false-positive alerts as possible. (Security staffers are likely to turn off or ignore an IDS that they think is crying wolf.)

Also, no matter how fast and thorough an IDS may be, it can still find only the attacks it has been programmed to look for. Thus, these tools can reduce the pest factor—the unimaginative script kiddies, crackers who use others code to initiate an unoriginal attack—but often miss new attacks based on innovative techniques.

IT managers should treat intrusion detection—and security preparedness in general—as a new task every day. Come back to the IDS system for a few minutes every morning and ask, "Is this device up-to-date with the attacks Ive heard about?"

Outside Looking In

The natural inclination is to manage security from inside the organization. There are many good reasons for this, not the least of which is that effective security requires an intimate, day-to-day knowledge of the equipment, data and business operations of the company.

Even so, outside expertise can be of real benefit as an organization goes about setting up and maintaining a detection system. A good security auditing company is already familiar with the case histories of successful attacks and should have an inspection regimen that quickly reveals these weaknesses in your organizations IT infrastructure. This is key to detecting problems down the line.

Companies that go beyond assessment to offer monitoring services have the advantage of seeing patterns of attacks against a large number of customers. This makes it much more likely that they will see new problems quickly and will hopefully have recommendations to thwart the assault.

Companies such as Counterpane Internet Security Inc. and Digital Defense Inc. offer a variety of assessment, monitoring and response services that can help secure the IT infrastructure. When evaluating service providers, organizations should first and foremost look for companies that have experience in their particular industry. A hospital, for example, should pass on a service provider with no experience in securing medical institutions and patient information.

Security monitoring companies can also afford to train staff members to recognize the latest threats and attacks, not to mention bond them. These resources are often harder—if not impossible—to justify at organizations where security is essentially a cost center.

The drawbacks to outsourced security are exposure and dependency. As weve stated, effective security means knowing the IT system, and outsourcing security means transferring that knowledge to a provider. Companies that outsource detection and response authority should keep in mind that giving another company enough information to secure your site is in itself a security risk.

Detection is a critical part of securing data from attack, but its not enough. Its not good enough to have a log file report that an unauthorized operator is copying credit card numbers from the central customer database; action must then be taken.

In Part 4 of this Security Series, well discuss the ways that active monitoring should lead to an appropriate and timely reaction to security attacks on computing resources.

Senior Analyst Cameron Sturdevant can be contacted at cameron_sturdevant @ziffdavis.com.