As highlighted in the recent Target breach investigation, deeper threat context and push-button automatic response should be in the toolbox of information security professionals to reduce false positives, speed up prioritization, and enable immediate system lock-down to halt data theft and breeches. Network security technology has evolved to provide robust perimeter protection for today’s complex network environments. Unfortunately, traditional network security solutions have not kept pace, and perimeter security falls short when it comes to addressing the core of the network.
Perimeter security’s limited visibility into the protocols used to access core network assets and a heavy reliance on signatures has hampered its ability to reliably detect attacks occurring against databases and servers in data centers. New attacks aren’t limited to the standard SQL injection techniques, but have expanded to include obfuscated and optimized SQL injections, bot redirections, privilege escalation, and abuse of form entry and API communications formats.
A new security approach is required – one designed to more actively understand the networks, sub-networks, and assets they are protecting. The ability to understand the protocols, ports, and users accessing data is also a requirement, as is the ability to quickly block them when there is a compromise. Detection systems need to go beyond simple pattern-based threat detection and be capable of accurately separating normal behavior from attacks. New approaches start with the attack surface and extend to automated tools to enforce protection. In between, tasks include monitoring the core network, protocol layers, and user behavior to aggregate and distill actionable threat information.
When data breaches hit millions of users, a well-prepared security staff should be able to press one button to isolate core databases or infected machines, and even segment networks across internal firewalls to stop the infection immediately. New approaches are cognizant of the need to automatically mitigate and contain threats in real-time, affecting and updating hundreds of enforcement devices if and when necessary.
Automated Detection Needs Automated Response
Although some new approaches and technologies can be applied to identifying advanced attacks, there are still gaping holes in the response phase. For example, many security teams still manually research a detected threat, evaluate the impact, determine who or what systems were involved, and establish the type and significance of the threat. This manual investigation is still a painstaking process that must be completed to characterize the threat and possible responses before the response team can mitigate or contain the problem.
Depending on the size of the organization, this manual process occurs hundreds – if not thousands – of times per week. Many IT security teams have been at a breaking point, causing significant delays in response times and raising the risk that critical threats will not be addressed.
Recent technology advances from companies like FireEye have dramatically improved the detection of malware, and next-generation intrusion prevention (IPS) and intrusion detection (IDS) systems also help detect database attacks. One side-effect of automatic detection tools is the creation of a whole new problem – how to respond to all these new alerts?
A better and more secure approach would marry automatic detection with automatic response technologies. For robust protection, security professionals should deploy automated tools to detect, investigate, mitigate, and contain the new generation of threats affecting database security.
Context Matters
If an advanced malware detection tool or next-gen IDS reported a threat, would your incident response team automatically know which database or servers were targeted? A more effective approach would connect-the-dots between threats, targeted databases and users, adding insight and initiating automatic responses to verified threats. Automatic investigation tools could detect access to the database network segment or server, and then automatically fire off containment updates to block access by infected systems to those servers and networks, or initiate mitigation protocols that slow traffic access, elevate logging, trigger additional packet capture, and more.
Likewise, new technologies in this approach would be able to use attack data to vet the source and destination of suspected traffic while understanding the severity and urgency of the detected threat, as well as the likelihood of a false positive. In a best-case scenario, the new approach would generate reports that security teams can review before confirming whether a threat is critical or a false-positive, and then enable mitigation or containment – network wide – with the push of a button.
Enterprises need to substantially reduce the time and effort required to contextualize detected threats, and quickly contain modern malware and targeted attacks. This is a vital requirement to a novel approach; however, some ‘new’ technologies are extremely rules heavy or require custom coding, turning the hope of automated incident response into a long, drawn-out study in software development, testing, and maintenance – which further increase risk instead of decreasing it.
Where Do We Go from Here?
As attacks on databases and networks become more advanced, so do the requirements for rapid response. It is likely we’ll see attackers continuing to up their game. Organizations that are able to invest more in best practices as well as automated detection investigation, mitigation, and containment will be less likely to experience a damaging attack and can minimize the damage when one does occur.
The quest for the better threat management mouse trap is in full swing.
Duane Kuroda is a senior threat research manager at NetCitadel, where he looks at the breadth and depth of threats that impact the company’s customers. Before NetCitadel, Kuroda was with Check Point Software Technologies, where he worked with the Threat Emulation Sandboxing Technology team. His previous experience includes nSolutions, a company involved in cloud and data center compliance technologies, and time as an analyst with Gartner.