An Industry Built on Sand?

Forensic information is of paramount importance to the security professional.

Without detailed information on the hacks that are being directed at the network, it is difficult for a security administrator to know why an attack has been blocked and how to mitigate against future threats. Yet, as with many aspects of modern life, information overload is also an issue. As hacking levels continue to rise, security professionals are being overwhelmed by the ever increasing amount of alerts their security products are generating.

For security professionals, information overload can bring serious problems which affect their ability to do their job. In some cases, it can lead a company's security provisions up the garden path.

Hacking is a serious issue for many companies, and extrapolating from recent statistics, the situation is only going to get worse over the next couple of years. According to the Computer Emergency Response Team (CERT), a federally funded research and development center in the U.S., companies reported over 73,000 hacking incidents in Q1-Q3 of 2002 alone. This amounts to a 40 per cent increase on the total number of incidents reported for the whole of the previous year. Indeed, in the December 2002 alone, the U.K. Cabinet Office's web site suffered 1,167 attacks. In both cases, these statistics only record reported incidents, but do give a good indication of the volume of attacks that bombard companies' systems every day. With the increasing use of automated hacking tools, the amount of attacks directed at a company's system is sure to grow over the next few years.

So, as hacking levels continue to increase, the requirement for forensic information regarding attacks on individual networks has grown. Forensic information is vital to security administrators, as without it, they do not have a clear view of the type of attacks that their networks are subject to or the measures they need to take to protect their systems further.

In order to cope with this demand, the security industry has seen the emergence of a new range of products which aim to monitor and compile alert information produced by many different types of security products. These systems draw information from anti-virus software, firewalls and intrusion detection systems (IDS), to give the user one central repository for all alarm information. The security administrator can then cross-correlate this data to look for interesting patterns of hacking activity and use this information to further protect their systems.

Despite current technologies and approaches, many companies' security provisions are still in the Dark Ages. In the past there was no way of preventing malicious activity, so security administrators had no choice but to analyze as much data as possible regarding attempts on their systems in order to try to protect the network. Yet with all this reliance on data analysis, the security industry is in danger of leading itself up a blind alley.

Even with this new way of looking at the same data, security administrators need to spend time normalizing and validating the information before a true analysis can begin. In itself, this still creates a huge amount of work which must be expertly attended to, including recognition of false positives, where the system detects activity which it classes as malicious but is actually normal network activity. Even though the ultimate aim of these consoles is to try to create a system which reduces the information flow sufficiently in order that a decision can be made, this is nigh on impossible.

The danger lies in relying on this as a protection method. Companies still require an expert to sift through all this information to pinpoint actual vulnerabilities. While this analysis takes place, bringing with it the specter of human error, the system is still vulnerable to new attacks, in the absence of any real prevention mechanism.

This was the experience of many companies when the Code Red virus struck. The Code Red worm was first observed in the wild in July 2001. It compromised several hundred thousand hosts within a few hours and was estimated to have caused millions of pounds of damage. Most security product vendors were not able to update their signature databases until after it had done the majority of its damage. By that time, in many cases, it was too late as the harm had been done.

However, with the advent of intrusion prevention systems which detect attacks and prevent them before they cause damage, companies are able to circumvent the need for analysis to be done before action can be taken to protect the system. By using a system which proactively prevents attacks, there is no gap between the attack being detected and someone identifying it as an attack, and finally doing something to prevent it. In fact, the beauty of it is that these systems don't require human intervention at all, they automatically deal with the attack. Data analysis on its own is outdated and simply takes too long to provide any real protection against today's security threats which can multiply and mutate in seconds.

In some quarters where this preventative approach has not been adopted, the objective of the security policy has become distorted. These companies are more interested in analyzing data than actually detecting and preventing attacks.

Through over-reliance on data analysis, many companies could effectively build their security defenses on sand. The more security devices a company has, the more information security administrators are bombarded with. The more information they are faced with, the harder it is to decide on an appropriate reaction. And in many cases, the information provided is inaccurate - intrusion detection systems, for example, generate a large amount of false positives.

Without adopting a preventative model, many companies are actually missing the point. Investing in more security products does not actually create increased security - only the illusion of it. In the same way, analyzing more and more data does not make a company more secure either. The number one objective of any security system is surely to prevent attacks from causing damage. This must never be replaced by the illusion of security, and that is all data analysis can ever bring.

Iain Franklin is European vice president of Entercept Security Technologies, intrusion prevention specialists (

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.