By John Breeden II, Network World | August 11th, 2014
Automated incident response promises total network security by combining threat detection, prevention and response.
Automated incident response is one of the fastest growing fields in computer security. Alternatively called threat monitoring, vulnerability management or threat management, it encompasses the seemingly impossible task of defending a network from active threats as they happen, in addition to detecting every possible vulnerability that could be exploited by an attacker.
As such, you don’t see tons of companies jumping into this area. But several companies have come out with automated incident response products and three of the leading vendors accepted our invitation for a comparative review — Tenable Network Security SecurityCenter, Hewlett Packard WebInspect and Co3 Systems Security Module.
Since vendors typically have their roots in one of those three areas — detection, prevention or automated response — their approaches are influenced by that starting point, leading to slightly different methods to achieve the goal of total network security. This means we needed to look at how effective the tools were overall, since there are few other metrics that can be compared side by side.
For this review, all programs were installed and tested with a variety of client machines and servers in a moderately sized test bed. Because the tested programs are all designed to work with hundreds and thousands of systems, no attempt to test scan performance was made, though program features designed to speed up scans were noted.
Each program was evaluated on ease of installation, features, ease of use, and automation level whether the program actually helped make patching the holes easier or simply pointed out what to do without any tracking or recommendations. In a sense, automation level could also be considered how complete the package is, now that all three elements of detection, prevention and response are combined together.
As a meshed, mature and easy to use product, Tenable SecurityCenter scored the highest of the three products in this review. It was able to provide true continuous monitoring for networks of any size and used customized dashboards to show the most relevant information concerning security to those who need to know. It’s almost impossible to conceive of a successful attack occurring on a network that is so well guarded by SecurityCenter, where every PC, device and connection is constantly monitored for malicious or abnormal behavior.
HP WebInspect, by comparison, requires a little more elbow grease to get the job done, but might be perfect for organizations that like to take a more active approach to their security precautions. It uses the concept of having to think like a criminal to catch one and launches thousands of real but benign attacks against a network, silently recording which ones are successful. Network administrators can then plug real holes and use WebInspect to check their results. WebInspect will reveal the ugly truths about security on any network, but requires security professionals to roll up their sleeves to fix individual problems.
The Co3 Security Module is the strongest in this review when it comes to the response side of the equation. While the Co3 product is only just getting into the areas of helping to fix problems, it can illuminate a perfect and legally sound response to any incident. Given that most organizations fail at their response to attacks not notifying users, not bringing in the proper state or national authorities or not meeting their legally mandated responsibilities the Co3 Security Module is a good choice regardless of what program is actually guarding the gates.
Here are the individual reviews:
Tenable Network Security SecurityCenter
The SecurityCenter program from Tenable hits all three areas of detection, prevention and automated response as the most complete package in this review. It’s simply the best in every tested area.
It achieves this feat by first inventorying every system on a network and giving administrators a complete view of everything that is running and how everything interrelates. For example, looking at the results of a scan, you can immediately tell how many systems on any given network have anti-virus programs installed, and which ones are up to date. It also shows the number of firewalls that are deployed, and what systems are actually being protected by which ones. This complete network picture can help to knock out the lowest hanging fruit type of problems, like systems outside of a network firewall or old antivirus definitions.
It can also identify devices and clients that may no longer serve a function, like an old print server or a network switch that used to be important but which is no longer used. If those devices have not been removed and decommissioned, they can still provide an attack path for a clever or lucky hacker. And almost every large enterprise network is going to have at least a few.
SecurityCenter was even able to find an old PC we stuck at the very edge of the test network, sitting behind a switch and three hubs, which had no function or active network connectivity. And it discovered a PlayStation 4 which was connected to the test network through a wireless connection that was accidentally not disabled prior to the test.
Once that is in place, SecurityCenter can be used to find variances that stick out, and it can get very granular in this part of the examination. Systems that have configurations outside of the default pattern or which are using more of their CPU than others performing similar tasks can be flagged for follow-up even before the main features of the program are brought online. Although not specifically designed as a network auditing or diagramming tool, SecurityCenter does a fine job providing this as the baseline the rest of the system is built upon.
Once everything in a network has been discovered, SecurityCenter can enter continuous monitoring mode. It does this using a process of scanning, sniffing and logging while also looking for any indicators of compromise. For example, an Android phone that we purposely infected with rudimentary homegrown malware was detected based on its behavior alone, because the device was attempting to make queries into a protected database. Threat intelligence is also brought into the program from other vendors, so known botnets and common attacks are immediately found and identified. And because SecurityCenter first found all devices on a network, even older, forgotten or previously unknown computers will be protected.
SecurityCenter works by combining threat intelligence with network sniffing and passive scanning. It does not conduct full packet inspections of all traffic running through a network, nor does it decrypt SSL packets. Doing so would certainly increase the scan time by a large margin, and in our testing, SecurityCenter was able to stop every attack based on the behavior of the protected devices alone. That said, some very highly secure organizations may insist on deep packet inspections, which SecurityCenter doesn’t offer.
Once an incident is detected, the response is quick and configurable based on what an administrator pre-programs, based on severity, device type or anything else. Emails can be sent to the appropriate people, deeper scans of suspect devices can be initiated, trouble tickets can be opened and log files can be written to name just a few possibilities. There are a lot of configuration options so that, for example, something minor like a new vulnerability being detected might warrant a low priority response while a critical problem like an ongoing attack could literally raise the alarm.
The icing on the cake for SecurityCenter is the easy-to-use security dashboards, which can be configured to show exactly what an administrator needs to know at a glance.
Dashboards can be set to show, for example, how many devices on a network comply with special regulations like HIPAA. Dashboards can be as complex as bringing up a list of vulnerabilities for compromised systems, or as simple as a big red light that illuminates should a critical problem be detected. SecurityCenter has quite a few out-of-the-box dashboards that should work for almost any installation, and either Tenable or a trained administrator can make custom ones, if needed.
HP keeps a pretty tight lid on who can use HP WebInspect and how it can be deployed. And that’s a good thing because in the wrong hands, WebInspect would be a very dangerous weapon. For this review, we had to specify the IP range that was being scanned and the license would not allow us to ping anything outside of that zone. HP says companies that purchase the program would be under the same constraints, but that it’s possible to modify the license after the fact by letting HP know how it should be expanded.
The reason for all the tight security is that WebInspect launches actual attacks, over 3,300 of them, against all known vulnerabilities across an entire network. A team at HP is constantly updating the number and type of attacks the program launches so that all the latest vulnerabilities can be found. Although this relies on active scanning, it’s relatively quick when dealing with a moderate number of clients and devices, though it might take days in massive enterprise settings.
Pointing it at a fake online bank with 800 devices that HP set up for the test took about a minute. Our much smaller local testbed was scanned in just a few seconds. The speed of the scans is also somewhat dependent on the hardware that WebInspect is installed upon. We used a workstation class computer as our base, but a large enterprise user will likely want to have a server or appliance just dedicated to the scanning.
The attacks that WebInspect launches are benign. They don’t do anything malicious. But they record when they get through, showing that they could have caused mayhem at some level had they been equipped with a dangerous payload. The value for security administrators is that WebInspect shows the attack used, the path the program took to reach its destination and the vulnerabilities that were exploited. Looking at the scan results, one can easily see why the program could be dangerous in the wrong hands, as it would provide multiple road maps showing how to successfully attack any network.
The idea is that security personnel can take the successful attack data and go to the exact systems that were successfully attacked to fix the hole. Then they can trigger WebInspect to again launch just the specific attack they have tried to fix to confirm that it’s no longer a vulnerability. One by one, each attack path or vulnerability is thus eliminated until an entire network is cleared of all vulnerabilities. The program then continuously scans the network on a regular basis to look for new threats based on the latest attacks, or as new devices come online, making it a core component to any automated incident response routine.
The base WebInspect program is incredibly powerful, but to get the full value of the program requires another element, HP WebInspect Agent, be installed on scanned devices. The latest version of the Agent program is free to WebInspect users, but it needs to be installed on every individual device to get the added protection it offers.
Agent works by enhancing the information provided by WebInspect attacks. The biggest vulnerability that was found with Agent added to the mix was cross-scripting errors which could allow an attacker to inject their own code into web servers. Only with Agent running on the backend could we initiate a stack trace to find this vulnerability, since the Agent acts like an inside man, showing exactly what is going on inside the protected host system. Another advantage to using Agent is that attacks like SQL injections are better defined with path information and specific attack strings. While WebInspect can report that a server is vulnerable to those types of attacks, only with Agent does the exact database attack query come to light.
Agent can also find web pages that don’t link anywhere and have likely been abandoned or forgotten, yet are still part of the enterprise and will still display if someone types their addresses directly. Those pages could be a vulnerability as long as they are still active, yet in most large websites there are at least a few that slip past content designers over the years. As such, Agent should probably be installed on any public-facing devices at the very least, especially those tasked with displaying web content.
Although WebInspect requires a little bit more technical knowledge than some programs, the ability to launch actual attacks as part of an automated threat response system can’t be overstated. Organizations that need to know the hows and whys of attacks directed against them should consider the program despite the extra effort installing it and its companion Agent program entails.
Co3 Security Module
The Co3 Security Module began life on the incident response side of the house, and it remains well ahead of everyone else in that area, even as it begins to branch out into detection and monitoring. In fact, there is no reason that the Security Module couldn’t be implemented as part of an overall security plan to shore up responses to intrusions, even if other methods of detection and continuous monitoring are also employed.
The idea behind Security Module is that most organizations don’t know what the proper, and sometimes legally mandated, response is to an intrusion or data theft. Companies may move in and patch a hole, but they may be dropping the ball if they also need to inform certain authorities about the incident. Beyond just the legal requirements, there are several best practices guidelines that should probably be adhered to as well.
The Security Module goes well beyond just patching up the network in the event of an incident. It checks all the valid regulations that apply and spells out exactly which ones need to be dealt with based on the type of data that has potentially been compromised, the location of the breach, how large a data theft is possible and whether the loss is the result of an actual attack or an accident.
A proper response in the state of Tennessee may be completely different from what needs to be done in California, Canada or Europe. The Security Module is kept up to date with all state and federal regulations in the United States and those from Asia, Europe and South America. It even keeps best practice responses on file for major trade organizations, so nothing is left to chance. All of that data is kept up to date by a team of researchers so that the day that a new data security law goes into effect in Ohio, the program will reflect that new information if an intrusion involves that state.
Although we did not test it, Co3 also makes a Privacy Module program that follows this same pattern, but works with the loss or theft of personally identifiable information. Given how much data mingles in databases these days, it’s probably a good idea to have both.
Out of the box, the Security Module comes configured with the names and contact information for the various people and organizations that should be contacted to report various incidents. The contact information of people inside a company that should be involved in a security response need to be added in, and can be done so ahead of time or on the fly as an incident happens.
At the simplest level, a security professional simply enters in all the known information about a loss of data and the program generates the proper response plan, or asks more questions until a perfect plan can be formulated. In a lot of ways it works like an expert system and is very easy to use by simply checking the needed boxes.
The Security Module also can open up security monitoring to everyone on a network. Users can report suspicious activity, like their computers booting up slowly, or if they received a suspicious e-mail that might be part of a phishing campaign trying to snoop passwords. Security personnel often have more options when detailing an incident, such as logging the IP addresses of attackers. That is where threat monitoring and intelligence is starting to come into play. Reports are automatically checked against known threats, so that the Security Module will alert administrators if the network is under a known attack and help to plan the response accordingly.
We tested the program along every step of the chain, from a normal user through to a security response team. We detailed several incidents from a phishing e-mail campaign to a user who clicked on a suspicious link to a user who lost a laptop containing unencrypted personal and medical information, plus quite a few other scenarios.
In all cases we were told exactly who to contact, and how long we had to tell the proper authorities what was going on with our network. In each case we were also given the most current information for government officials and organizations. For example, in one case we were warned that the United States Department of Homeland Security needed to be notified within 60 minutes of discovering the loss of a particular type of information.
Of the programs in this review, the Co3 Security Module is the least automated. Most incidents require that someone report a problem. The program encourages this by the implementation of a sandbox mode where users can practice reporting incidents without having them actually get logged into the system. It’s possible that a well-trained group of users could provide nearly instantaneous reporting of security problems, though this would require some training and lots of voluntary participation.
Although the Co3 Security Module probably isn’t ready to become the only security platform a company should implement, having it in place can streamline a lot of the sometimes chaotic activity that occurs after an attack, and can also help to ensure the least amount of legal vulnerability, especially when dealing with personal or healthcare related information. Given that it’s after an attack when most of the companies involved in recent high-profile data breaches have stumbled badly, having a built-in plan ready for almost any eventuality isn’t a bad thing at all.