The threats that current-day networks face are advanced, persistent, and evolving continuously. To protect against them, network and security solutions are becoming more complex. Complexity leads to inefficiency and increased cost. A typical large organization uses multiple security products from multiple vendors. Some organizations use up to 70 different products to secure their networks. Each of these products has different information in different management consoles. In the event of an attack, you have to look at multiple consoles and correlate information manually to even determine that you are under attack.
Most of the recent high-profile cyber attacks have had one thing in common: Security systems detected those attacks, but the event logs were lost in a flood of other logs and went undetected. Why?
To understand the complexity of incidence response, consider an example. Let’s say you are looking at logs from the IPS in your organization, and you come across an attack that happened seven days ago. The only identifying information in the logs is the IP address of the internal host that was the target of the attack. To find out which host and user had that IP address from your internal DHCP range, you will need to go through the DHCP server logs - assuming that your organization stores such logs and you have access to them. From the DHCP logs, you will get a MAC address for the machine - but you will not know what user was logged on during the time of the attack. However, if your organization enforces network access control, you may be able to find that information from the access control system logs. In the absence of a network access control system, you will need to find out where the MAC address is currently connected and what that switch port is connected to. Finally, you will get a physical location of the device and, when you walk to the location, the identity of the user.
This example shows how difficult it can be to respond to and contain an attack. Now multiply the effort by the hundreds of events per day, and you begin to understand how incident response can become slow and ineffective.
To deal with the threats we face today, our security solutions need to evolve and integrate. Multiple security products and solutions contain contextual information about an event. When those products and solutions are integrated, they share this data to be correlated. Such integrations and correlation have a number of benefits:
- Better indicators of compromise: Not every event requires immediate remediation. In some cases, remediation may not be required at all. When security products such as IPSs analyze an event in relation to the context of the target or source, they can provide better indicators of compromise. This results in faster response to top threats. For example, consider Windows malware being downloaded by a machine running Linux. Without contextual information about the operating system, this event would be a high-severity event.
- Event logs with contextual data: When security products receive and store contextual data with event logs, responding to events - even days later - becomes much easier. For example, if the username is available in an event log, reaching out to the end user for remediation is easier.
- Increased effectiveness: With correlation of events and contextual information, the effectiveness of event detection increases drastically. Considering again the example of a Linux machine downloading Windows malware, an IPS with contextual information about the operating system can ignore that event instead of generating a false-positive event log.
- Automated response: When security products are integrated, they can work together to contain and remediate an event automatically. This drastically reduces the time it takes to contain the event. With a lower rate of false positives, the risk associated with automated response is also reduced. For example, consider an IPS that detects malicious activity from an internal endpoint. It can reach out to the network access control system to quarantine the endpoint.
To further understand the benefit of integration of security systems, let’s revisit the previous example of tracing down the user associated with an event that is seven days old. This time, assume that the network access control system in the organization is integrated with the IPS, and it provides contextual information, including username. With this integration in place, you would have the IP address, MAC address, and username in the event log on the IPS. There would be no need to look at the DHCP server or any other logs. The time and effort taken to find the username associated with the event would be reduced to zero!
Integration of security products has begun as vendors have realized its importance. Cisco is leading this charge with multiple open standards drafts and integration between all its security products.