Vulnerability & Log Management Only Get You So Far
Vulnerability and log management are two prominent methods of detecting security breaches but they're not without their limitations. Some of the problems lie in how these systems are used by security professionals and in other instances the constraints are purely technical. Most organizations collect and archive system logs (syslog) in compliance with data security regulations such as PCI, SOX, HIPAA, NERC CIP, NCUA, FISMA, or SANS. Since virtually all network elements including firewalls, switches, routers, production servers and third-party security appliances produce syslog events, the objective of log management is to collect, retain and regularly review logs to identify unauthorized, irregular or malicious activity. There’s little doubt that log information is useful in determining what's already occurred. But the notion of relying on historical log information to detect an attack in progress is undermined for several reasons:
- Log analysis relies on the reporting device's detection capability. For example, when a threat is able to successfully bypass perimeter defense, typically a log event won’t be generated. So reliance on log information is flawed.
- Logs tend to be voluminous. A firewall is capable is generating 1 million events each day. Since most organizations collect logs for hundreds or thousands of devices (intrusion prevention systems, production servers and network infrastructure) the ability of an organization to adequately review these logs daily is unrealistic.
- Though Security Information and Event Management (SIEM) systems can correlate log events to identify an incident, most IT departments lack the expertise to implement and maintain the heuristics.
- Logs are historical in nature and fairly useful for postmortem analysis of a breach. However, some modern attack vectors are designed to not log the fact that the malware or advanced persistent threat (APT) has manifested itself onto the host.
Most organizations perform periodic vulnerability assessments to identify weaknesses in their network security posture to remediate problems. There are a number of types of vulnerability scanners that vary by the targets they focus on. But they share a common purpose of highlighting the vulnerabilities present in one or more targets. While most vulnerability scanners are very good at detecting vulnerabilities, there are several challenges that undermine their usefulness:
- Vulnerability scanning should be performed on a weekly basis to ensure that any new vulnerabilities are identified and remediated before emerging threats are able take advantage of them. However, since vulnerability scanners are typically priced by the number of IPs and the frequency of scans, IT organizations tend use them judiciously in an effort to economize.
- Scan reports contain a mountain of vulnerabilities to remediate, with no prioritized list or relevance to current threats seen on their network. Given that IT organizations are undermanned and underfunded, efforts to remediate detected vulnerabilities typically takes a backseat to maintaining business services.
It’s safe to say that hackers will continue to find and exploit vulnerabilities in existing software, some of which has been around for a considerable amount of time. So it’s imperative for security professionals to consider a modern and proactive approach to vulnerability detection.