People reading this blog are likely to be very savvy about network and application monitoring – mainly focused on availability and performance. But when there’s a security incident, both availability and performance are likely to be crushed. Even though NetBeez does not currently focus on network security monitoring, I’d like to talk about it.
Network security monitoring involves several tools, including Intrusion Detection Systems (IDS), Security Information and Event Management (SIEM), and behavioral analysis with Netflow. IDS’s watch for known malicious behavior on the network, looking to match signatures of such behavior and alert on them. SIEM aggregates information from IDS, Host IDS (HIDS), firewalls, applications, databases… pretty much anything that can deliver log files.
It provides cross-correlation across these sources, allowing security analysts to have visibility into what is going on in the organization from a security perspective. Behavioral analysis handles potentially malicious activities that cannot be detected with a signature approach – the fact that the network is behaving oddly indicates possible malicious activities that need to be investigated. For example, abnormally sluggish network performance can be due to an ongoing DDoS attack impacting bandwidth use. Or, it may be normal to have quite a bit of IM traffic in the network used by your inside sales team. However, if the server housing your confidential customer information suddenly has a burst of IM traffic, it is likely that you should investigate for malicious behavior.
In addition to security monitoring in an organization, there are other supporting disciplines to understand what is going on in the network. These include asset management and vulnerability management. Asset management entails discovering and providing information on all of the different servers, applications, endpoints and more on the network. Vulnerability management hunts for known problems that exist in the network, made known by public reporting of such vulnerabilities. Adobe and Microsoft reign supreme in vulnerabilities, although any sufficiently complex software will have them.
Endpoint security, such as antivirus and anti malware fits into the prevention category. Unfortunately, these measures are working out to be not very effective at the moment. This is due to the signature orientation of such prevention methods, which is confounded by sheer amount of malware, plus the introduction of 0-day, or brand new malware.
No matter what you read or hear about in the media or places like Black Hat and DefCon about very technical, sophisticated exploits, social engineering is generally the vector of approach for malware getting introduced into *anything*. Social engineering entails fooling nice folks into clicking on malicious links in emails, getting drive-by malware from websites, and allowing people to tailgate into an organization to steal laptops and create mayhem in many ways. The malicious thumb drive is very much in the news, and it is surprising how many nice folks will go right ahead and plug a diseased and infectious thumb drive right into your network. Here’s a sample Spearphishing example:
“This is Ralph Simmons, your daughter’s school principal. You need to come pick your child up ASAP, as there has been an incident with her and another student. To see a copy of the incident report we put on file, Click Here!
Respectfully,
Mr. Simmons
Fake School Principal”
Pretty irresistible – I think many security pro’s would click on that one before thinking about it.
At a high level, people who are focused on user experience, application and network performance are not overly happy with security measures undertaken by an organization. Requiring complex passwords, multi-factor authentication, black listing or white listing applications for users and prohibiting access to known malicious websites is not a popular thing, but that’s the kind of measures security people have to take to protect their networks. Monitoring the activities on the network for security reasons just isn’t going to be popular. Improving the user experience: certainly popular.
However, the situation is, there is no great application performance when security issues are occurring. So, life is not so simple.
On the surface, performance/user experience and security are not closely related, but this is not the reality. In fact, there is grassroots support to integrate security right into DevOps. There’s some thought that more collaboration is required to be effective. – “SecDevOps: The New Black of IT” http://www.slideshare.net/CloudPassage/sec-devops-webinar-deck After all, without good security, there will not be good, consistent user experience.
I work for a security company, AlienVault, which provides a pre-integrated solution to address security across all of these areas: asset management, IDS, SIEM, vulnerability management and behavioral analysis. Great user experience requires a healthy network. NetBeez provides excellent distributed network monitoring, focusing on a great user experience. Perhaps industry experts are right: DevOps needs to be married with security monitoring. SecDevOps just might be the “New Black.”