Security automation: the next wave

Security automation: isn't that the very nature of the beast? After all, just about any security process can be automated. Firewalls, intrusion-detection systems and antivirus software scan and sniff network traffic and computers for known signatures of attacks, viruses and worms. Vulnerability management systems find and patch holes, so malware can't exploit them. Remote access managers sandbox, scan and sanitize endpoints before allowing network access. And security managers get to view all of this and more from a central monitoring station.

OK, maybe it isn't an integrated monitoring station but rather a bunch of monitoring stations kludged into one console by a security administrator.

That's the nature of the beast, too. The inability of different security products to share network and security information limits security automation. Limitations appear elsewhere, too. For example, intrusion-prevention systems (IPS) lack the intuition to know the difference between a Christmas rush and a denial-of-service attack, which is why companies use intrusion prevention sparingly, or not at all. There's no way a security tool will ever be able to set policies aligned to your business' unique characteristics.

Suffice to say, security will continue to become automated, but will never fully replace human perception, intuition and intervention.

"You can build automated security models in a way to detect problems, establish countermeasures and alert a human, who can then build a filter or countermeasure to protect against that issue," summarizes John Pironti, enterprise architect and security consultant at Unisys Corp. "In this way, there will always be a symbiotic relationship between humans and computers."

Know your business

Intrusion detection, antivirus, firewalls and antispam are fairly mature when it comes to automation -- meaning human intervention is minimized. While these tools needed manual updates and excessive filtering, they now essentially run themselves, by automatically updating their signature files, blocking worms and viruses, scanning and parsing datastreams, and looking deep into packets to detect bad behaviour, says Vick Wheatman, vice president of security practices at Gartner. Reaching that level of maturation takes five to 10 years, analysts say.

They point to security information aggregation and identity management as two technologies at the other end of the maturation spectrum. This means we won't see mature automation of these disciplines until 2010 or beyond.

But don't just look to product trends to measure automation, says Robert Garigue, vice president and chief information security officer at Bank of Montreal Financial Group. Instead, organizations should focus on how security aligns with best practices and how it can be automated to the point that it moves from just security into the normal operations of the business, he says.

"Stand above the products, above the architecture, and look at the evolutionary process of where automation has happened," says Garigue, a frequent speaker on security maturation frameworks. "For example, firewalls are routine and so have become embedded in our network infrastructures. Patch updates and data quality have moved from exception management to normal operation."

When automated security becomes routine, security teams gain the freedom to deal with new risks and emerging policy issues. "Now we can focus on service-oriented architectures, digital rights management, identity management, and other emerging security issues that need best practices before they can be automated," Garigue says.

In highly regulated industries, best practices and security automation go hand in hand. This is particularly true when it comes to proving who has accessed sensitive data and what events are happening on network segments where sensitive data resides, says Bernie Donnelly, vice president of quality assurance at the Philadelphia Stock Exchange.

"I was looking at security automation back in the 70s when I had to prove the same things three times to internal audit, external audit and (Securities and Exchange Commission) regulators," he says.

Over the years, as the Exchange diversified its trading system platforms, mainframe access controls no longer provided the audit trail regulators required. The new systems provided reams of report data that Exchange personnel needed to sift through just to get at the information in which regulators were interested, Donnelly says.

"We have all this log information, but from a security perspective, we're only interested in who's trying to get in and who's trying to go where they're not supposed to," he says.

So to prevent duplication of security and system expertise, the audit committee and security department created committees at the system and senior management levels. The committees then worked on ways to sort the data to find the exceptions to the company's audit and risk management policies, Donnelly says.

Ultimately, the security team built filters to sift data coming from network and security logs. They installed Consul's InSight Security Manager to manage events and provide an audit trail of internal activity across the mainframe, Unix and messaging servers that make up the trading infrastructure.

"We wanted one system to bring this information together. So we worked with Consul because it's an offshoot of IBM (Remote Access Control Facility), which we still use in our environment. Consul gathers data from all three of our platforms into a central server, which we can query using a single language," Donnelly says.

Note that at the Exchange, as elsewhere, the process of narrowing the information down to manageable levels called for manually building filters. The human is still involved in querying the data to get to the important information.

"There are hundreds of potential information resources to draw security information from. The problem is narrowing it down from the 99 percent you don't care about to the 1 percent that you do," says security analyst Chris Byrnes.

The key to automating security event management is figuring out your sources and managing them down to a stream of information that is actually useful, then applying some automated correlation and analysis, he added. Even correlation and analysis can't be fully automated because only the enterprise owners know what questions to ask the analysis engines.

"If you know what questions to ask these tools, they can provide you with answers. But you have to know what you're looking for and you have to specify the correlation rules. Right now, the vendors haven't done that in a way that's useable in multiple installations," Byrnes says. Furthermore, security information management (SIM) tools fail to take advantage of information already on the network - unless that information comes from a product or system developed or supported by the SIM vendor. So gathering this information for deeper correlation and analysis usually means adding nodes and in-line devices all over the network.

"This is happening in both the wired and wireless spaces. It's the battle for the security management console," says Diana Kelley, executive security adviser for Computer Associates. "If we're going to automate, it has to be integrated and open. We have to be able to take information off IDS, firewalls and other reporting mechanisms in the enterprise, regardless of vendor. And for that, we need standards."

Look to standards

For the past two years, CA has been working with the IETF's Open Security Exchange to develop a common way of identifying and sharing security event information across multiple brands and types of devices. The Open Source Vulnerability Database, started at DEFCON in August 2002, to share common vulnerability definitions among vulnerability management systems is also available. And the IETF's venerable SNMP, which network management vendors have been using for decades, remains a must-have in the enterprise.

Coast Capital Savings is banking its security management future on SNMP. The credit union, with 2000 users in 50 retail operations, is rapidly expanding through mergers, acquisitions and new construction. To support the company's aggressive growth, Andrew Banman, senior system engineer, is developing a "branch in a box" template to get branches up and running with standardized security manageable at a single console. "We need to come up with standards and boilerplate methodologies, tools and gear to support manageability that won't go out of date in a couple of years," Banman says. "The tools to do this are complex. The implementation is complex. So you need to step back and carefully plot a course."

Banman's team is working out an ambitious two-year plan to unify all security and management information using SNMP. Already, the team uses the FirePass SSL VPN box by F5 Networks to check the security integrity of remote machines against the company's security policy before allowing user access to the data centre.

For its custom banking applications, the team is writing SNMP traps to track errors. And, from an infrastructure perspective, it's working with Cisco Systems and 3Com to secure voice, video and data on the same stream.

"Monitoring all this data can become a huge nightmare. We'll buy where we can, write what we can, and use SNMP management to help unify it all," Banman says.

Leverage your infrastructure

Until all standards are as mature as SNMP, collecting and correlating security information from disparate devices continues to be an expensive and difficult undertaking.

Enter the attempts to integrate security management into switch management platforms: 3Com plans to integrate IPS technology acquired from TippingPoint Technologies early this year, Cisco last year introduced its self-defending network concept of secure access, IPS and security monitoring, and Enterasys Networks offers integrated antivirus and policy management.

Enterasys' security management products are in use at a university to block viruses or attacks at the switch ports - a function the university gets without having to install a node on each of its 3500 switches and 65,000 endpoints.

When a hack or viral activity is detected on a specific port, Enterasys Netsight Atlas Console puts that computer into a remediation state until the computer is repaired, says Mike Hawkins, associate director of data networking at the university. It uses Netsight Policy Manager to push traffic-blocking policies out to the edge switches in response to an ongoing threat.

Combined, the products significantly reduce the chance that malware might spread throughout the network, Hawkins says. "It takes less than a minute to stop an evil-doer. And with Netsight Policy Manager, we can respond in minutes to an ongoing threat," he says.

Determining where on the network - say the switches or routers - to take advantage of the vendor security management capabilities means setting objectives, Byrnes advises. "You need to ask yourself what data you most need to protect, what sources of information you'll need to do that protection and then start looking at what supports those sources," he says.

With the answers to these questions, you can align your security automation to the business, which is a far cry from automating everything, Unisys' Pironti says.

Understand user roles

As another example, take identity management. The capability to automate access management to every application on as fine-grained level as you can imagine exists, as long as you're not adverse to writing custom hooks for all your custom applications and any other applications with which the vendor product might not integrate. Yet from a business standpoint, automating user roles and provisioning resources is simply not feasible at too fine-grained a level, says Brad Bauch, a partner with PricewaterhouseCoopers' security and privacy practices.

However, those parts of identity management that can be easily automated already are moving out of security and into everyday operations -- per Garigue's security-maturation model.

Bauch points to self-help password resets, which have clearly demonstrated ROI by reducing help desk calls by up to 70 percent in some organizations. And de-provisioning already is fully automated in his client sites and, for the most part, has become a human resources function. Furthermore, users can launch new account requests.

There's a pattern with all security automation, Garigue says. First you identify the risk, then develop standards and finally, you automate best practices. This pattern will repeat itself far into the future, particularly as companies deploy new data centre architectures for distributed and service-oriented computing, he adds.

Join the newsletter!

Error: Please check your email address.

More about 3Com Australia3Com AustraliaCA TechnologiesCiscoCiscoEndPointsEnterasys NetworksF5F5 NetworksGartnerHawkinsHISIBM AustraliaIETFInformation ResourcesIPSPricewaterhouseCoopersPricewaterhouseCoopersSecurities and Exchange CommissionTippingPointUnisys Australia

Show Comments