Vulnerability management technology: a powerful alternative to attack management for networks - Storage Networking

Computer Technology Review, May, 2003 by Tim Keanini

In recent years, enterprise network environments have become more complex, with an increasing reliance on digital assets to provide services that meet business demands. While there are many positive aspects for a company that embraces the Internet, the greatest challenge to overcome is the implementation and management of security solutions to ensure network and data integrity that map directly to the business problems.

The variety, frequency and complexity of attacks used against corporations are also on the rise (see Figure 1). Scripted attack methods automate the process of breaking into a network to the level of point-and-click; very little skill is required to compromise a network and disrupt business, steal proprietary data, or maliciously damage or modify information and data files. The need to deal with intrusions effectively has never been greater.

Contrary to industry expectation, the deployment of intrusion detection systems (IDS) has done little to decrease the incidence of intrusions or the damage caused by intruders. Intrusion detection systems are not designed to prevent attacks or damage, only to alert administrators that there appears to be an attack taking place. Traditional network security approaches, built around aggregated point products and reactive response models, are simply not up to the challenge.

What is required is a shift in the fundamental philosophy of network security from attack management to vulnerability management. The vulnerabilities and exposures inherent within networked systems allow an attacker to gain a foothold within the network. These vulnerabilities and exposures place an organization at risk. The weaknesses found in the operating systems, applications and services needed to run your business must be constantly assessed to identify the extent of exposure and lower the probability of attacks on critical networks. To do this, companies must focus their resources on proactive rather than reactive security operations and stop the potential damage an attack might inflict before it starts. By proactively measuring the exposure of a network to attack, a security administrator can easily quantify and qualify the risk associated with each device and take the preventative steps needed to increase the survivability of the network and to limit the exposure of key business assets.

Reactive Security: Intrusion Detection

While there are many products on the market today providing intrusion detection, none truly solve the problems faced by today's enterprise network environments. Intrusion detection systems (both host- and network-based) are incident or post-incident based controls.

Both network- and host-based IDS solutions do little to improve the overall network security in a proactive sense, as they have to wait for an incident (attack or breach) to occur before they can start to be effective. Once an attack has been detected by an IDS, the attack has already happened and the damage may already have been done. The IDS in this case can only serve as an audit tool of events that might help to reconstruct the attack and indicate the extent of the compromise. IDS vendors realize this shortfall in their technology and are making drastic changes in the way they represent their technology in the marketplace, moving away from IDS to intrusion prevention. Unfortunately, this is still a reactive solution and many customers do not want to implement in-line blocking of traffic as it may block legitimate users due to false positives. However, with more knowledge of the exposures on the network, intrusion prevention could be more effective and less likely to impact the availability of the network as a whole.

All intrusion detection products are prone to false-positive and false-negative alerts, but none more so than network-based IDS solutions. A false-positive alert is the most common condition, in which the IDS identifies what it thinks is a legitimate attack and generates an alert, while the attack is really legitimate traffic. These conditions can be caused by a number of factors (such as a badly written signature or bugs in the IDS software). The large number of false-positive alerts is an industry-wide problem with little progress being made to make significant reductions. To combat this problem, companies need to implement yet another point product solution to correlate and aggregate IDS alerts, requiring an even greater investment.

False-negative conditions are situations in which there is a valid attack, but the product fails to alert. Signature-based intrusion detection systems use an architecture of limited scalability that must fully inspect every packet against the whole database of attack signatures. The most common cause of a false-negative condition is caused by high bandwidth utilization and the failure of the intrusion-detection system to inspect every packet. As more attacks become known, the signature database increases in size making the false-negative issue even more prevalent. One very important result of too many false-positive and false-negative alarms is that they can overwhelm an IT staff with lots of "noise" and forensic work that leaves them chasing ghosts, consuming valuable security resources and eventually causing the IT staff to distrust the alerts.