Defending your network: Detection versus Prevention
When you think of a very secure facility, what comes to mind? I think of imposing buildings, surrounded by a huge spike-topped fence, and some armed guards roaming around outside.
And what comes to mind when you think of a secure corporate network? Firewalls, IPS’s, and two factor authentication are the things that jump to mind for me.
Those defenses are not enough to make a network (or a building) secure.
I am not here to argue that those defenses are bad. Certainly they are an important part of a good security scheme, but by themselves they cannot protect a building or a network. All of the protection mechanisms mentioned above are preventative in nature; meaning their goal is to stop an attack from being successfully completed.
Preventative defenses are susceptible to being defeated. Firewalls have to have some kind of access allowed, which may be used to gain a foothold. IPS’s are unable to accurately categorize every packet that flies by, and two factor authentication is only as good as the implementation. Even if your preventative defenses are not breached, you may see authorized employees performing unauthorized activities. Preventative techniques are very poor at helping with that type of situation.
That’s where detection systems come into play. These systems are not meant to stop a hacker from getting onto your systems, they are meant to provide evidence of who did it, when they did it, and what they did. Detective systems are what we need to count on to give us assurance about the state of our network, and to provide the relevant details when an incident takes place.
The moment a hacker makes it through your firewall, a good detective system will generate traffic that can be used to both identify that a breach occurred, as well as provide forensic evidence later to track who did what. Preventative systems are much harder to defeat because even if you manage to turn them off, that in itself should generate alerts to let you know something has happened.
Detective technologies especially shine when it comes to providing auditing on trusted employees. SIEMs can be set to watch for suspicious activities, which may be an indication of fraud, and alert on them. Log management systems can be used to dig into the details of processes and transactions that have failed to help us figure out where things went wrong.
Log monitoring is my favorite preventative technology. These systems start with the premise that moving log files to a central logging location allows for greater security and easier reporting on issues. If a hacker manages to take over ServerA, they will not be able to wipe away evidence of their crime, because ServerA’s logs are actually being held on LogServerA. Covering their tracks becomes increasingly difficult, or impossible.
Intrusion detection systems are another effective way to detect unauthorized behavior on your network. Since the IDS systems are monitoring all traffic that flows through the network, the attacker will be detected as soon as first contact is made. Even if his connection looks innocent and does not trigger an alert, that data will remain in the system to be used during investigations.
In conclusion, prevention is not enough. Our prevention systems cannot block every type of malicious activity, and we should not expect them to. Implementing high quality detective technologies gives us the kind of visibility into what’s going on in our network that we can never have without them.
Connect with Robb on Google+