A hacker is scanning your network for vulnerabilities. An alert sounds. But does anyone notice? Is anyone monitoring your audit logs? For many IT managers, the answer is no.
“One of the biggest problems in the IT industry is audit log management,” said Mark Kadrich, director of security at Conxion, a Web-hosting company headquartered in Santa Clara, CA. “Being able to keep track of what your audit log is saying and being able to act on it and make business decisions is critical.”
Kadrich issued the same warning as many security experts: You can have all the security products in the world, but if you can’t detect and react quickly to intrusions, those security devices can’t help.
Senior management at Conxion realized they needed help monitoring its audit logs, so they enlisted the help of a managed security monitoring company, Counterpane Internet Security Inc., based in San Jose, CA.
Counterpane puts a probe on your network and collects information from security devices, including firewalls, routers, and servers. The probe filters out the more interesting messages and sounds alerts. Then a team of Counterpane analysts at two operation centers evaluates the information and determines whether it’s a false alarm or a problem that requires action. When an intrusion is detected, the analysts notify the customers and coach them through an appropriate response until the intrusion is repelled and the network is repaired.
Counterpane is one of only a few companies that offer the comprehensive 24/7 monitoring known as managed security monitoring (MSM).
This is only a test
This past spring, Counterpane issued an alert when it appeared someone was attacking Conxion’s core infrastructure routers. Within 10 minutes, Counterpane alerted Conxion. Within 15 minutes, the Counterpane analysts identified the attackers and determined what they were doing. It turns out the attack was actually a test performed by an outside agency that audits Conxion’s network.
“We called them and said, ‘You’re busted.’ They were amazed. We got a big, big smile from our auditing company,” recalled Kadrich. “But had this been an actual emergency, we would’ve been able to take appropriate action.”
Counterpane company representatives have said they have detected actual intrusions for other clients as well. So far, Counterpane has about two dozen customers. They include ISPs, backbone network companies, financial institutions, online services such as help desks, and other dot-com related businesses. One of the key selling points for MSM is that it relies on the intelligence and response of actual people, not just technology.
“Security is a process, not a product,” said Bruce Schneier, cofounder of Counterpane Internet Security. “Security products will not save you.”
Security at a price
The cost for Counterpane’s services is about $12,000 a month. Some competing firms that offer outsourced security services are critical of that big price tag.
“If I were a small company making a million dollars in profit off $30 million in sales, and I’m spending $144,000 a year on security, that’s a significant percentage of gross profit for someone to basically watch my front door to see if someone will break in,” said Don Justice, practice leader for training at Panurgy, based in Millersville, MD.
Justice said $12,000 a month may be cost-effective for a Fortune 500 or Fortune 1000 company, but it’s likely not affordable for small- to medium-size businesses.
Panurgy offers less expensive outsourced services. Based on a model of a small business with two servers and 25 users, Panurgy can monitor the servers, router, switchers, and keep up with the event logs for $500 a month or $6,000 a year. It’s all done remotely through an IP address.
But a spokesperson for Counterpane said companies that analyze the true cost of security find that Counterpane is reasonable. For example, Conxion views the cost as the equivalent of one full-time person. “But instead of one person, you get an army of people working around the clock,” explained Kadrich.
“There’s no cheap answer,” said Schneier. “If we had a cheap answer, we’d offer it.”
Secrets to security success
Schneier has spent most of his career designing security products for computers and consulting clients such as Microsoft and the National Security Agency. He offers this checklist of commonsense ways to prevent, detect, and respond to security problems.
- Limit privilege. Don’t give any user more privileges than she absolutely needs to do her job.
- Secure the weakest link. Spend your security budget securing the biggest problems and the largest vulnerabilities.
- Use choke points. By funneling users through choke points (think firewalls), you can more carefully secure those few points.
- Provide defense in depth. Don’t rely on single solutions. Use multiple complementary security products, so that a failure in one does not mean total insecurity.
- Fail securely. Design your networks so that when products fail, they fail in a secure manner.
- Leverage unpredictability. You know your network; your attacker doesn’t. Make his job harder by disguising things and adding honey pots and booby traps.
- Enlist the users. Social engineering attacks are often the most damaging of any attack and can only be defended against with user education.
- Embrace simplicity. Keep things as simple as absolutely possible. Security is a chain; the weakest link breaks it. Simplicity means fewer links.
Detection and response
- Detect attacks. Watch the security products. Look for signs of attack. Too often, valuable alerts from firewalls, servers, and even IDSs are simply ignored.
- Respond to attackers. It’s not enough to simply detect attacks. You need to close vulnerabilities when attackers find them, investigate incidents, and prosecute attackers.
- Be vigilant. Security requires continuous monitoring. Read about new attacks as soon as possible. Install all security patches and upgrades immediately.
- Watch the watchers. Audit your own processes regularly.
Michelle Cavanaugh is a freelance writer based in Jeffersonville, IN. She writes articles about IT security, project management, and certifications. Michelle is a former television news producer who has worked for network affiliates in the Midwest. She has freelanced for ESPN and public television among other new media outlets.