October is National Cyber Security Month with the theme of shared responsibility.  It is an appropriate time to explore the relationship between security vendors and customers and look at some of the myths surrounding security solutions — such their deployment, costs, ROI, and compliance.  This is the first of a two-part post, which attempts to dispel these myths and offer clarity from all the smoke and haze.

Myth: Security is a question of buying a few products, plugging them in and everything will be OK.

Many customers think security ends once perimeter security devices such as firewalls and IDS/IPS systems are in place.  In fact, buying and installing expensive security devices at the perimeter is only the beginning.  In addition to the proper configuration of such devices, comprehensive security can only be achieved when these devices are monitored 24x7x365 to pick up any malicious, illegal and/or noncompliant activity on the customer network.

Many organizations don’t understand the critical need to monitor infrastructure on a 24×7 basis.  They are unaware, unsure, or unable to set up a comprehensive monitoring program due to the significant security experience, expertise, and investments needed.  Managed security solutions providers can help customers achieve security without breaking the bank.

It’s also important to go beyond just monitoring the perimeter.  By monitoring infrastructure components — such as routers and switches that connect the various networks, servers that run many high-availability business applications, the business applications themselves, and end hosts — security analysts will get a complete view of the organization’s security in real-time.

Myth: Signature sets are accurate and have a low false positive rate.

Customers who have installed complex security devices such as IDS/IPS systems, UTMs, WAFs, and the like, need to be aware of the significant false positive rates generated by many such devices.  Our experience has shown that the false positive rates on some of these devices can exceed 98% on a sustained basis.

What can an organization do under such a deluge of false positives?  This topic is an article in itself, but the short answer is through the use of technology, people, and process.

Weeding out the false positives and getting to the log messages that are truly indicative of a security event is an art form.  Technology is a big component of this, but such technology is not straightforward and is usually out of reach for most organizations.  Organizations that do not have the technology and expertise can rely on Managed Security Service Providers (MSSPs) to offer them such protection.

The following carefully considered approaches will be a big help in reducing the false positive rate:

• Configuring the security device correctly – This is an area of great pain for customers who need to know the intimate details of configuration options and requires deep security and vendor knowledge to make work correctly.  We are aware of instances where wrong flag settings (which are easy to overlook) could result in the device not looking for 0-day activity.
• Using correlation modules – Correlation technologies can reduce the false positive rate by detecting security activity that deduced from a single security log, but by whole set of such log messages generated over a period of time.
• Tuning your devices and monitoring systems – This helps to understand what security messages result from regular business use and what is anomalous activity. This is a difficult process for customers to do on their own; it is much easier when performed by security experts who have done this many times with other organizations.

Organizations that put in place security solutions without considering these issues are in for a nasty surprise.  A false positive deluge makes it extremely difficult to spot the real security events and lowers the morale of security analysts looking at these on an hourly/daily basis, often leading to boredom and indifference — not a great place to be for a security program. 

Myth: Low/No Configuration needed – turn it on and it will work.

Customers of complex security solutions need to consider the full cost of deploying, configuring, managing, and monitoring such solutions. We know of organizations that have bought into the pitch that they can simply plug and play complex monitoring solutions with their existing security monitoring staff.  Alas, if only this were true.

Tight budgets and overloaded security staff often means that there is no significant training on the product, and security personnel do not have the time (or the incentives) needed to understand the ins and outs of such complex technologies to deploy them correctly.  The complex security solutions in the aforementioned organizations stay neatly packaged, still on the shelf.

Are there other common deployment myths in the security community that you would like to dispel?  Post a comment below and share them with the community at SecureThinking.  

SQL injection attacks are the No. 1 cause of data loss according to the 2009 Data Breach Investigations Report by Verizon. The report points directly to secure coding in PCI DSS and the need for code review or web application firewalls (WAFs).  While SQL injection attacks are often detected incorrectly by IDS/IPS, specialist application monitoring presented within a WAF gives far better accuracy with detecting application layer attacks.  

To shed more light on web application firewall technology, we have asked our technology partners at Breach Security to offer their insights.  Here’s what Ryan Barnett, Director of Application Security Research at Breach Security, has to say:

There was an interesting article on Computerworld’s website entitled, “We’ve been blind to attacks on our Web sites.”  The article drives home an important use-case for WAFs – visibility of web traffic. Too many people get caught up in the “block attacks with a WAF” mentality that they forget about the insight that can be gained by simply having full access to the inbound request and response data.  From the article:

Of course, as the security manager, I can’t afford a false sense of security, so I recently took some steps to find out just what was going on within our Web servers’ network traffic.  And it turns out that many attacks have been getting through our firewalls undetected.  We’ll never know how long this has been going on.

                         — Computerworld, J.F. Rice, “We’ve been blind to attacks on our Web sites” (June 23, 2009)

This is a typical first reaction.  Most of today’s network firewalls have some sort of Deep Packet Inspection capabilities.  However, most people don’t use it due to performance hits.  The firewalls are mainly geared towards whether to allow a connection based on the source destination IPs and Port combos instead of the actual application payloads.  This is somewhat like when you use the telephone to call someone.  A firewall would just check to see if you are allowed to call that phone number, but it doesn’t usually look at what you are saying in the conversation once you are connected.

The other big hindrance to inspecting web traffic at a network firewall is SSL.  You have to be able to decrypt the layer 7 data in order to inspect it.

My company’s front-end Web servers, which directly receive connections from the Internet through our firewalls, are definitely a hot spot in our network.  The firewalls and IDS allow us to see some of what’s going on, but can they really detect active content-based attacks?  To find out, I installed a Web application firewall in my company’s DMZ to tell us about active attacks that may not be identified by our other devices.  I set the device up in monitor mode, though it can be set up to block attacks, because my goal was just to see what was going on.  I wanted to know more about what’s inside the connections to those Web servers.

           — Computerworld, J.F. Rice, “We’ve been blind to attacks on our Web sites” (June 23, 2009)

The WAF can initially be deployed for detection only or monitoring mode to allow for visibility.

What I discovered is that our Web sites are being “scraped” by other companies — our competitors!  Some of the information on our sites is valuable intellectual property.  It is provided online, in a restricted manner (passwords and such), to our customers.  Such restrictions aren’t very difficult to overcome for the Web crawlers that our competitors are using, because webmasters usually don’t know much about security.  They make a token attempt to put passwords and restrictions on sensitive files, but they often don’t do a very good job.

            — Computerworld, J.F. Rice, “We’ve been blind to attacks on our Web sites” (June 23, 2009)

Scraping attacks that are executed by legitimate users and aim to siphon off large amounts of data are a serious threat to many organizations.  These types of attacks cannot be identified by signature based rules as there is no overt malicious behavior to identify if only one individual transaction is inspected.  Behavioral analysis needs to be employed to correlate multiple transactions over a specified time period to see if there is an excessive rate being used.  Anti-automation defenses are critical.

Our Web application firewall found some other problems as well.  We experience hundreds of SQL injection attack attempts every day.  So far, none has been successful, but I’m amazed at the sheer volume.  I can’t imagine anyone having the time to sit around trying SQL injection attacks against random Web servers, so I have to assume that these attacks are coming from automated scripts.  In any case, they are textbook examples of SQL injection, each one walking through various combinations of SQL code embedded in HTML.  It looks like we’ve done a good job of securing our Web applications against these attacks, but it’s always a little disconcerting to hear invaders pounding on the door.

                        — Computerworld, J.F. Rice, “We’ve been blind to attacks on our Web sites” (June 23, 2009)

Having visibility into the types of automated attacks launched against a web application provides two key pieces of data:

1. Understanding of the Threat component of the Risk equation – There are many academic types of debates and discussions that happen early on in the development of software.  One of the more challenging aspects to quantify is the threat.  Is there really anyone out there targeting our sites?  Where are they coming from?  What attacks are they launching?  Without this type of confirmed data obtained from the production network, it is difficult to accurately do threat modeling.

1. Validation of secure coding practices – It will become evident very quickly whether or not the web application is vulnerable to these types of injection attacks.  If the application does not implement proper input validation mechanisms, then there is a possibility that the injected code will be executed and the application will respond abnormally.  By inspecting both the inbound request and the outbound response, it is possible to confirm if/when/where input validation is faltering.

BT’s Managed Security Solutions Group is the first global MSSP to work with Breach Security’s WebDefend to ensure that application attacks detected by the WAF can flow into a central security monitoring framework while providing the maximum amount of intelligence to SOC engineers to ensure state of the art monitoring.  Most customers struggle with increasing number of management consoles and alerting frameworks.  The capability to plug web defend into a central framework enables organizations to have the benefit of 24x7x365 monitoring.

http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

http://www.breach.com/

http://www.computerworld.com/s/article/340216/We_ve_Been_Blind_to_Attacks_on_Our_Sites

http://www.breach.com/news-events/press-releases/2009-10-06_WebDefend4.html