February Issue of the Taos Newsletter: IT Security

Enterprise Defense Strategies to Reduce Network Risk

By Tim Keanini, Chief Technical Officer, and Andrew Maguire, Director, Product Marketing, nCircle

In recent years, enterprise network environments have become more complex, with an increasing reliance on digital assets to provide services that meet business demands. The greatest challenge to overcome for any organization is the implementation and management of security solutions, ensuring network and data integrity that maps directly to the business problem.

The variety, frequency, and complexity of attacks used against corporations are dramatically on the increase. Scripted attack methods automate the process of breaking into a network to the level of point-and-click; very little skill is required to compromise a network and disrupt business, steal proprietary data, or maliciously damage or modify information and data files. Losses due to information theft and financial fraud are two of the leading costs associated with security breaches. The need to deal with intrusions effectively has never been greater.

The dramatic increase in known vulnerabilities and new attack methods gives a hacker many alternatives when breaching a company's network security, leading to an ever increasing rise in incidents:

Reactive Security: High Cost, Limited Effectiveness

Traditional network security approaches, built around aggregated point products and reactive response models, are simply not up to the challenge. Contrary to industry expectation, the deployment of reactive security solutions such as firewalls and intrusion detection systems

(IDS) has done little to decrease the incidence of intrusions or the damage caused by intruders. Firewalls can be considered the gatekeepers of the network, but they deliver limited protection. Their biggest limitation is that most firewalls do not inspect the content of the packets they pass. Intrusion detection systems, on the other hand, were not originally designed to prevent attacks or damage either, but rather as an audit tool of events that might help to reconstruct the attack and indicate the extent of the compromise.

Many intrusion detection systems miss attacks because they cannot keep up with high volumes of network traffic and/or they generate an unmanageable number of alerts due to false positives, making a real attack difficult to identify. False positives are generated when legitimate activity is incorrectly interpreted as an attack. When organizations are repeatedly hit with false positives, they begin to ignore their alerting system and the data it collects, rendering the system potentially useless. False positives are a constant challenge for most organizations, and many man-hours are spent tuning signatures and analyzing logs to figure out if an attack actually took place. By then, the damage has been done.

Reactive security is just that, reactive. Resources cannot be planned and budgets cannot be estimated based on what "might" happen, and when. Undoubtedly, intrusion detection has its place in the layered security architecture of many organizations, but the costs in time, manpower, and incident recovery associated with reactive controls are prohibitive.

Proactive Security: Making Networks Immune to Attack

What is required is a fundamental shift in the philosophy of network security from attack management to vulnerability management. The vulnerabilities inherent within networked systems allow an attacker to gain a foothold within the network. These vulnerabilities place an organization at risk. The weaknesses found in the operating systems, applications, and services needed to run a business must be constantly assessed to identify the extent of exposure and to lower the probability of attacks on critical networks. To do this, companies must focus their resources on proactive rather than reactive security operations and stop the potential damage an attack might inflict before it starts. By proactively measuring the exposure of a network to attack, a security administrator can easily quantify and qualify the risk associated to each device and take the preventative steps needed to increase the survivability of the network and to limit the exposure of key business assets.

The Last Line of Defense: Vulnerability Management

A recent research note released by the CERT® Coordination Center (CERT/CC) stated, "Ninety-nine percent of network intrusions result from the exploit of known vulnerabilities.for which there are existing countermeasures".

Effectively, the only security solution available that allows organizations to identify known vulnerabilities and to manage the implementation of countermeasures is Vulnerability Management. Vulnerability Management is the process of identifying, measuring, prioritizing, and managing the lifecycle of potential network security exposures that might put your business at risk. Vulnerability Management determines weaknesses within the network by proactively probing each device for its susceptibility to known vulnerabilities and managing the process of addressing those exposures before they can be exploited. This ability to discover detailed information about every device in an organization is extremely valuable because it enables IT staff to monitor compliance with network security policies and to ensure network integrity.

Security solutions such as Vulnerability Management enable organizations to prioritize and allocate resources to mitigate network risk on a proactive basis. Budgets can be planned and a structured security program can be implemented, ensuring effective management and measurement of the company's risk posture. In effect, the prioritization of risk reduction is not based solely on the number or criticality of vulnerabilities present on a device, but the value of each device as part of the business process.

Summary

To be effective, network security solutions must be made up of several layers to address the various types of threats faced by today's networks. IDS and firewall solutions, the first and second lines of network defense, are reactive and then have high resource overhead and limited impact on securing the network. In the likely event that an attack evades all the other security measures deployed at the entry-points, internal gateways, and even at the host level, Vulnerability Management bolsters the last line of defense by making the target immune to attack. Proactive remediation - patching vulnerable systems before they can be exploited - is the best countermeasure to attack. In a time when networks are barraged by accelerating numbers of attacks, the only good defense is prevention.

About CERT

Established in 1988, CERT is a center of Internet security expertise, located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.

About nCircle

nCircle is a leading provider of appliance-based vulnerability management solutions. Global 2000 companies use nCircle's appliance-based vulnerability management solutions to:

• Reduce network security exposures
• Enforce compliance with security policies
• Increase effectiveness of the security program

nCircle offers IP360 as a proactive solution for enterprise security. IP360 is an appliance-based vulnerability management solution that continuously discovers, assesses and protects IP based devices within the enterprise network against the threats that put your business at risk. IP360 has been deployed to protect Global 2000 enterprises in the financial service, insurance, Government, manufacturing and services industries.

For more information, contact nCircle at (888) 464-2900 or visit www.ncircle.com.